When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
-
-### Supported values
-
-| Group Policy | MDM | Registry | Description |
-|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------|
-| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. |
-| Enabled | 0 | 0 | Load the Start page. |
-| Enabled | 1 | 1 | Load the New Tab page. |
-| Enabled | 2 | 2 | Load the previous pages. |
-| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. |
-
----
-
-
->[!TIP]
->If you want to make changes to this policy:
- Set the **Disabled Lockdown of Start Pages** policy to not configured.
- Make changes to the **Configure Open Microsoft With** policy.
- Enable the **Disabled Lockdown of Start Pages** policy.
+> *Default setting: Enabled (A specific page or pages)* + +[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
+
+### Supported values
+
+| Group Policy | MDM | Registry | Description |
+|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------|
+| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. |
+| Enabled | 0 | 0 | Load the Start page. |
+| Enabled | 1 | 1 | Load the New Tab page. |
+| Enabled | 2 | 2 | Load the previous pages. |
+| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. |
+
+---
+
+> [!TIP]
+> If you want to make changes to this policy:
- Set the **Disabled Lockdown of Start Pages** policy to not configured.
- Make changes to the **Configure Open Microsoft With** policy.
- Enable the **Disabled Lockdown of Start Pages** policy.
->*Default setting: Disabled or not configured (Customizable)* - -[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] - - ->[!IMPORTANT] ->Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. - -### Supported values - -| Group Policy | Description | Most restricted | -|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | -| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.
To define a default list of favorites, do the following:
- In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
- Click **Import from another browser**, click **Export to file** and save the file.
- In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
- HTTP location: "SiteList"=
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
- HTTP location: "SiteList"=
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +> *Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+> *Default setting: Disabled or not configured (Customizable)* + +[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] + + +> [!IMPORTANT] +> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. + +### Supported values + +| Group Policy | Description | Most restricted | +|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | +| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.
To define a default list of favorites, do the following:
- In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
- Click **Import from another browser**, click **Export to file** and save the file.
- In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
- HTTP location: "SiteList"=
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
- HTTP location: "SiteList"=
diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md index 2d8195f03e..0f909d31d7 100644 --- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -1,62 +1,63 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured* - -[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] - ->[!TIP] ->Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. - - -### Supported values - -| Group Policy | MDM | Registry | Description | Most restricted | -|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| -| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. |  | -| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.
Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.
- In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**
- Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.
A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
+--- +author: eavena +ms.author: eravena +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + + +> *Supported versions: Microsoft Edge on Windows 10*
+> *Default setting: Disabled or not configured* + +[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + +> [!TIP] +> Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. + + +### Supported values + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. |  | +| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.
Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.
- In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**
- Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.
A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index c4141688d8..8249262926 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -1,8 +1,8 @@ --- title: Deploy Microsoft Edge Legacy kiosk mode description: Microsoft Edge Legacy kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge Legacy kiosk mode, you must configure Microsoft Edge Legacy as an application in assigned access. -ms.assetid: -ms.reviewer: +ms.assetid: +ms.reviewer: audience: itpro manager: dansimp author: dansimp @@ -16,28 +16,28 @@ ms.date: 01/17/2020 # Deploy Microsoft Edge Legacy kiosk mode ->Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later ->Professional, Enterprise, and Education +> Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later +> Professional, Enterprise, and Education > [!NOTE] > You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-kiosk-mode). In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge Legacy as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge Legacy in kiosk mode. -In this topic, you'll learn: +In this topic, you'll learn: - How to configure the behavior of Microsoft Edge Legacy when it's running in kiosk mode with assigned access. -- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices. -- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service. +- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices. +- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service. -At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support. +At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support. ## Kiosk mode configuration types ->**Policy** = Configure kiosk mode (ConfigureKioskMode) +> **Policy** = Configure kiosk mode (ConfigureKioskMode) -Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario. +Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario. - Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image) @@ -50,9 +50,9 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend ### Important things to note before getting started -- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device. +- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device. -- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks. +- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks. - Microsoft Edge Legacy kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge Legacy resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own. @@ -67,7 +67,7 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend - [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3). -### Supported configuration types +### Supported configuration types [!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)] @@ -75,9 +75,9 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge Legacy kiosk mode: -- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. +- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. -- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). +- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). ### Prerequisites @@ -89,14 +89,14 @@ Now that you're familiar with the different kiosk mode configurations and have t - URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page. - _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge Legacy: - + ``` Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge ``` ### Setup required for Microsoft Edge Legacy kiosk mode -When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge. +When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge. To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take one of the following actions: @@ -104,11 +104,11 @@ To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take on - To prevent Microsoft Edge Stable channel from being installed on your kiosk devices deploy the Microsoft Edge [Allow installation default](https://docs.microsoft.com/DeployEdge/microsoft-edge-update-policies#installdefault) policy for Stable channel or consider using the [Blocker toolkit](https://docs.microsoft.com/DeployEdge/microsoft-edge-blocker-toolkit) to disable automatic delivery of Microsoft Edge. > [!NOTE] -> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge). +> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge). ### Use Windows Settings -Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. +Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. 1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**. @@ -120,9 +120,9 @@ Windows Settings is the simplest and the only way to set up one or a couple of s 5. Select how Microsoft Edge Legacy displays when running in kiosk mode: - - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data. + - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data. - - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data. + - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data. 6. Select **Next**. @@ -136,23 +136,23 @@ Windows Settings is the simplest and the only way to set up one or a couple of s 11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration. -**_Congratulations!_**
You’ve just finished setting up a single-app kiosk device using Windows Settings. +**_Congratulations!_**
You’ve just finished setting up a single-app kiosk device using Windows Settings. -**_What's next?_** +**_What's next?_** - User your new kiosk device.
OR
- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge Legacy**. ---- +--- ### Use Microsoft Intune or other MDM service With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge Legacy kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add). ->[!IMPORTANT] ->If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. +> [!IMPORTANT] +> If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. 1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. @@ -166,7 +166,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**
 | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
- **0 (default)** - Not configured. Show home button, and load the default Start page.
- **1** - Enabled. Show home button and load New Tab page
- **2** - Enabled. Show home button & set a specific page.
- **3** - Enabled. Hide the home button.
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com | | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**
 | Set a custom URL for the New Tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com | - + **_Congratulations!_**
You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service.
@@ -177,7 +177,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur
## Supported policies for kiosk mode
-Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
+Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
Make sure to check with your provider for instructions.
@@ -251,18 +251,18 @@ Make sure to check with your provider for instructions.
 = Not applicable or not supported
 = Supported
----
+---
## Feature comparison of kiosk mode and kiosk browser app
In the following table, we show you the features available in both Microsoft Edge Legacy kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
-| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** |
+| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** |
|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:|
| Print support |  |  |
| Multi-tab support |  |  |
-| Allow/Block URL support |   |
+| Allow/Block URL support |  |  |
| Configure Home Button |  |  |
| Set Start page(s) URL |  | 
*Same as Home button URL* | | Set New Tab page URL |  |  | @@ -280,6 +280,6 @@ To prevent access to unwanted websites on your kiosk device, use Windows Defende ## Provide feedback or get support -To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. +To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. **_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md index 91065aa687..35f4b5ac73 100644 --- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md +++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md @@ -1,12 +1,13 @@ --- author: dansimp ms.author: dansimp -ms.date: 10/02/2018 +ms.date: 04/23/2020 ms.reviewer: -audience: itpro manager: dansimp +audience: itpro +manager: dansimp ms.prod: edge ms.topic: include --- -[Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy): -This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. +[Microsoft browser extension policy](https://docs.microsoft.com/legal/microsoft-edge/microsoft-browser-extension-policy): +This article describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content these browsers display. Techniques that aren't explicitly listed in this article are considered to be **unsupported**. diff --git a/browsers/edge/web-app-compat-toolkit.md b/browsers/edge/web-app-compat-toolkit.md index 8ec157e607..00e7a02d51 100644 --- a/browsers/edge/web-app-compat-toolkit.md +++ b/browsers/edge/web-app-compat-toolkit.md @@ -1,6 +1,6 @@ --- title: Web Application Compatibility lab kit -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp description: Learn how to use the web application compatibility toolkit for Microsoft Edge. @@ -14,7 +14,7 @@ ms.localizationpriority: high # Web Application Compatibility lab kit ->Updated: October, 2017 +> Updated: October, 2017 Upgrading web applications to modern standards is the best long-term solution to ensure compatibility with today’s web browsers, but using backward compatibility can save time and money. Internet Explorer 11 has features that can ease your browser and operating system upgrades, reducing web application testing and remediation costs. On Windows 10, you can standardize on Microsoft Edge for faster, safer browsing and fall back to Internet Explorer 11 just for sites that need backward compatibility. @@ -22,7 +22,7 @@ The Web Application Compatibility Lab Kit is a primer for the features and techn The Web Application Compatibility Lab Kit includes: -- A pre-configured Windows 7 and Windows 10 virtual lab environment with: +- A pre-configured Windows 7 and Windows 10 virtual lab environment with: - Windows 7 Enterprise Evaluation - Windows 10 Enterprise Evaluation (version 1607) - Enterprise Mode Site List Manager @@ -36,10 +36,10 @@ Depending on your environment, your web apps may "just work” using the methods There are two versions of the lab kit available: -- Full version (8 GB) - includes a complete virtual lab environment +- Full version (8 GB) - includes a complete virtual lab environment - Lite version (400 MB) - includes guidance for running the Lab Kit on your own Windows 7 or Windows 10 operating system -The Web Application Compatibility Lab Kit is also available in the following languages: +The Web Application Compatibility Lab Kit is also available in the following languages: - Chinese (Simplified) - Chinese (Traditional) @@ -48,11 +48,11 @@ The Web Application Compatibility Lab Kit is also available in the following lan - Italian - Japanese - Korean -- Portuguese (Brazil) +- Portuguese (Brazil) - Russian - Spanish [DOWNLOAD THE LAB KIT](https://www.microsoft.com/evalcenter/evaluate-windows-10-web-application-compatibility-lab) ->[!TIP] ->Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space. +> [!TIP] +> Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space. diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md index cbfc5f11b5..867bb143b8 100644 --- a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md @@ -8,7 +8,7 @@ ms.prod: ie11 title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp --- @@ -17,16 +17,16 @@ ms.author: dansimp **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. ->[!Important] ->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. +> [!Important] +> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. **To create a new change request** 1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. @@ -36,7 +36,7 @@ Employees assigned to the Requester role can create a change request. A change r 2. Fill out the required fields, based on the group and the app, including: - **Group name.** Select the name of your group from the dropdown box. - + - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. @@ -58,16 +58,16 @@ Employees assigned to the Requester role can create a change request. A change r - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx). - + 4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. - + A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. 5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. - + - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. ## Next steps -After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. +After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md). diff --git a/browsers/enterprise-mode/enterprise-mode-features-include.md b/browsers/enterprise-mode/enterprise-mode-features-include.md index 8090fc9ba8..9da0e79778 100644 --- a/browsers/enterprise-mode/enterprise-mode-features-include.md +++ b/browsers/enterprise-mode/enterprise-mode-features-include.md @@ -1,4 +1,5 @@ ### Enterprise Mode features + Enterprise Mode includes the following features: - **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes. @@ -8,9 +9,9 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso - **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. - >[!Important] - >All centrally-made decisions override any locally-made choices. + > [!Important] + > All centrally-made decisions override any locally-made choices. - **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. -- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. \ No newline at end of file +- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. diff --git a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md index a72f720a3f..3e06b8b806 100644 --- a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md @@ -8,7 +8,7 @@ ms.prod: ie11 title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp --- @@ -17,18 +17,18 @@ ms.author: dansimp **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) ->[!Important] ->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. +> [!Important] +> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: -- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. +- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. - **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md index 22464cc569..31961c97a1 100644 --- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md +++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md @@ -1,22 +1,23 @@ ---- -author: eavena -ms.author: eravena -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. - ->[!IMPORTANT] ->Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. - -1. In the Enterprise Mode Site List Manager, click **File \> Import**. - -2. Go to the exported .EMIE file.
For example, `C:\users\ For example, `C:\users\
+6. If you have enabled [Internet Explorer mode integration on Microsoft Edge](https://docs.microsoft.com/deployedge/edge-ie-mode), and you have sites that still need to opened in the standalone Internet Explorer 11 application, you can check the box for **Standalone IE**. This checkbox is only relevant when associated to 'Open in' IE11. Checking the box when 'Open In' is set to MSEdge or None will not change browser behavior.
+
+7. The checkbox **Allow Redirect** applies to the treatment of server side redirects. If you check this box, server side redirects will open in the browser specified by the open-in tag. For more information, see [here](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance#updated-schema-attributes).
+
+8. Click **Save** to validate your website and to add it to the site list for your enterprise.
If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
-7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
+9. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
## Next steps
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
index d15192b9d3..278408ab38 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@@ -8,7 +8,7 @@ ms.prod: ie11
title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer:
audience: itpro
manager: dansimp
ms.author: dansimp
@@ -18,16 +18,16 @@ ms.author: dansimp
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
->[!Important]
->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+> [!Important]
+> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
**To create a new change request**
1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
@@ -37,7 +37,7 @@ Employees assigned to the Requester role can create a change request. A change r
2. Fill out the required fields, based on the group and the app, including:
- **Group name.** Select the name of your group from the dropdown box.
-
+
- **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List.
- **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list.
@@ -59,16 +59,17 @@ Employees assigned to the Requester role can create a change request. A change r
- **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes.
- **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx).
-
+
4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing.
-
+
A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list.
5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct.
- **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**.
-
+
- **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
## Next steps
-After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic.
+
+After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index 008e2624c0..d94601a9d5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -20,7 +20,7 @@ ms.date: 07/27/2017
If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872).
## Group Policy Object-related Log Files
-You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**. For more information about the Event Viewer, see [What information appears in event logs? (Event Viewer)](https://go.microsoft.com/fwlink/p/?LinkId=294917).
+You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png b/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png
index d2508016be..7626296e87 100644
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png and b/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
new file mode 100644
index 0000000000..bb22b43b3f
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
@@ -0,0 +1,47 @@
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: How to use Site List Manager to review neutral sites for IE mode
+author: dansimp
+ms.prod: ie11
+ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
+ms.sitesec: library
+ms.date: 04/02/2020
+---
+
+# Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
+
+**Applies to:**
+
+- Windows 10
+- Windows 8
+- Windows Server 2012 R2
+- Microsoft Edge version 77 or later
+
+> [!NOTE]
+> This feature is available on the Enterprise Mode Site List Manager version 11.0.
+
+## Overview
+
+While converting your site from v.1 schema to v.2 schema using the latest version of the Enterprise Mode Site List Manager, sites with the *doNotTransition=true* in v.1 convert to *open-in=None* in the v.2 schema, which is characterized as a "neutral site". This is the expected behavior for conversion unless you are using Internet Explorer mode (IE mode). When IE mode is enabled, only authentication servers that are used for modern and legacy sites should be set as neutral sites. For more information, see [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites). Otherwise, a site meant to open in Edge might potentially be tagged as neutral, which results in inconsistent experiences for users.
+
+The Enterprise Mode Site List Manager provides the ability to flag sites that are listed as neutral sites, but might have been added in error. This check is automatically performed when you are converting from v.1 to v.2 through the tool. This check might flag sites even if there was no prior schema conversion.
+
+## Flag neutral sites
+
+To identify neutral sites to review:
+
+1. In the Enterprise Mode Site List Manager (schema v.2), click **File > Flag neutral sites**.
+2. If selecting this option has no effect, there are no sites that needs to be reviewed. Otherwise, you will see a message **"Engine neutral sites flagged for review"**. When a site is flagged, you can assess if the site needs to be removed entirely, or if it needs the open-in attribute changed from None to MSEdge.
+3. If you believe that a flagged site is correctly configured, you can edit the site entry and click on **"Clear Flag"**. Once you select that option for a site, it will not be flagged again.
+
+## Related topics
+
+- [About IE Mode](https://docs.microsoft.com/deployedge/edge-ie-mode)
+- [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index bc468576ed..0f35b04d1c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -31,7 +31,7 @@ You can search to see if a specific site already appears in your global Enterpri
**To search your compatibility list**
- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.
- The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported.
+ The search query searches all of the text. For example, entering *“micro”* will return results like, `www.microsoft.com`, `microsoft.com`, and `microsoft.com/images`. Wildcard characters aren’t supported.
## Related topics
- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
index 58ffc300ce..3cbc140f4b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
@@ -26,7 +26,7 @@ ms.date: 12/04/2017
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
@@ -49,12 +49,14 @@ The following topics give you more information about the things that you can do
|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). |
|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites. This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors. This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md) |How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion. This topic applies to the Enterprise Mode Site List Manager version 11.0 or later. |
|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems. This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else. This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list. This topic applies to both versions of the Enterprise Mode Site List Manager. |
+| [Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](review-neutral-sites-with-site-list-manager.md)|How to flag sites listed as neutral, to ensure that they are intentional and not a result of schema conversion. This topic applies to the latest version of the Enterprise Mode Site List Manager.
## Related topics
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
index 8a161b2ffb..a3fce1731d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
@@ -8,7 +8,7 @@ ms.prod: ie11
title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer:
audience: itpro
manager: dansimp
ms.author: dansimp
@@ -18,18 +18,18 @@ ms.author: dansimp
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
->[!Important]
->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+> [!Important]
+> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
-- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
+- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index da309b68cd..1a2c6fc17a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -20,11 +20,11 @@ ms.date: 10/25/2018
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
@@ -33,7 +33,7 @@ If you have specific websites and apps that you know have compatibility problems
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
->[!TIP]
+> [!TIP]
> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
@@ -54,8 +54,8 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
- >[!Important]
- >All centrally-made decisions override any locally-made choices.
+ > [!Important]
+ > All centrally-made decisions override any locally-made choices.
- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
@@ -121,11 +121,11 @@ There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and
- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.
- We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
+ We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema.
- If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+ If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal.
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
index a4cb639bc5..e35b64b8a4 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
@@ -5,8 +5,8 @@ description: Get answers to commonly asked questions about the Internet Explorer
author: dansimp
ms.author: dansimp
ms.prod: ie11
-ms.assetid:
-ms.reviewer:
+ms.assetid:
+ms.reviewer:
audience: itpro
manager: dansimp
title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
@@ -16,50 +16,50 @@ ms.date: 05/10/2018
# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
-Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
+Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
->[!Important]
->If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
+> [!Important]
+> If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
-- [Automatic updates delivery process](#automatic-updates-delivery-process)
+- [Automatic updates delivery process](#automatic-updates-delivery-process)
-- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works)
+- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works)
-- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services)
+- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services)
## Automatic Updates delivery process
-**Q. Which users will receive Internet Explorer 11 as an important update?**
-A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md).
-
-**Q. When is the Blocker Toolkit available?**
-A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
-
-**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?**
-A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx).
-
-**Q. How long does the blocker mechanism work?**
-A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed.
-
-**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?**
-A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers.
-
+**Q. Which users will receive Internet Explorer 11 as an important update?**
+A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md).
+
+**Q. When is the Blocker Toolkit available?**
+A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
+
+**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?**
+A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx).
+
+**Q. How long does the blocker mechanism work?**
+A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed.
+
+**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?**
+A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers.
+
The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or
-other update management solution.
-
-**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?**
+other update management solution.
+
+**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?**
A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable.
## How the Internet Explorer 11 Blocker Toolkit works
-**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?**
-A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary.
-
-**Q. What’s the registry key used to block delivery of Internet Explorer 11?**
-A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0
-
-**Q. What’s the registry key name and values?**
+**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?**
+A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary.
+
+**Q. What’s the registry key used to block delivery of Internet Explorer 11?**
+A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0
+
+**Q. What’s the registry key name and values?**
The registry key name is **DoNotAllowIE11**, where:
- A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option.
@@ -67,23 +67,23 @@ The registry key name is **DoNotAllowIE11**, where:
- Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a
manual update.
-**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?**
-A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media.
-
-**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?**
-A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11.
-
-**Q. How does the provided script work?**
+**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?**
+A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media.
+
+**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?**
+A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11.
+
+**Q. How does the provided script work?**
A. The script accepts one of two command line options:
- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
-**Q. What’s the ADM template file used for?**
-A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company.
-
-**Q. Is the tool localized?**
+**Q. What’s the ADM template file used for?**
+A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company.
+
+**Q. Is the tool localized?**
A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems.
## Internet Explorer 11 Blocker Toolkit and other update services
@@ -91,17 +91,17 @@ A. No. The tool isn’t localized, it’s only available in English (en-us). How
**Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?** Schema name Name of the schema. Applicable starting in App-V 5.0 SP3: If you want to use the new “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file: AppConnectionGroupId Schema name Name of the schema. Applicable starting in App-V 5.0 SP3: If you want to use the new “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file: AppConnectionGroupId Microsoft SQL Server 2019 32-bit or 64-bit Microsoft SQL Server 2017 Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services: Office 365 ProPlus Microsoft 365 Apps for enterprise Visio Pro for Office 365 Project Pro for Office 365 Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services: Office 365 ProPlus Microsoft 365 Apps for enterprise Visio Pro for Office 365 Project Pro for Office 365 Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services: Office 365 ProPlus Microsoft 365 Apps for enterprise Visio Pro for Office 365 Project Pro for Office 365 Channel (attribute of Add element) Optional. Specifies the update channel for the product that you want to download or install. For more information about update channels, see Overview of update channels for Office 365 ProPlus. Optional. Specifies the update channel for the product that you want to download or install. For more information about update channels, see Overview of update channels for Microsoft 365 Apps for enterprise. Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services: Office 365 ProPlus Microsoft 365 Apps for enterprise Visio Pro for Office 365 Project Pro for Office 365 Branch (attribute of Add element) Optional. Specifies the update branch for the product that you want to download or install. For more information about update branches, see Overview of update branches for Office 365 ProPlus. Optional. Specifies the update branch for the product that you want to download or install. For more information about update branches, see Overview of update branches for Microsoft 365 Apps for enterprise. To Install the Management server and Management database on a local machine. To use the default instance of Microsoft SQL Server, use the following parameters: /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT /MANAGEMENT_WEBSITE_NAME /MANAGEMENT_WEBSITE_PORT /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT /MANAGEMENT_DB_NAME To use a custom instance of Microsoft SQL Server, use the following parameters: /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT /MANAGEMENT_WEBSITE_NAME /MANAGEMENT_WEBSITE_PORT /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE /MANAGEMENT_DB_NAME Using a custom instance of Microsoft SQL Server example: /appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup” /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service” /MANAGEMENT_WEBSITE_PORT=”8080” /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName” /MANAGEMENT_DB_NAME=”AppVManagement” To Install the Management server using an existing Management database on a local machine. To use the default instance of Microsoft SQL Server, use the following parameters: /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT /MANAGEMENT_WEBSITE_NAME /MANAGEMENT_WEBSITE_PORT /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL /EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT /EXISTING_MANAGEMENT_DB_NAME To use a custom instance of Microsoft SQL Server, use these parameters: /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT /MANAGEMENT_WEBSITE_NAME /MANAGEMENT_WEBSITE_PORT /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE /EXISTING_MANAGEMENT_DB_NAME Using a custom instance of Microsoft SQL Server example: /appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup” /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service” /MANAGEMENT_WEBSITE_PORT=”8080” /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName” /EXISTING_MANAGEMENT_DB_NAME =”AppVManagement” To install the Management server using an existing Management database on a remote machine. To use the default instance of Microsoft SQL Server, use the following parameters: /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT /MANAGEMENT_WEBSITE_NAME /MANAGEMENT_WEBSITE_PORT /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME /EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT /EXISTING_MANAGEMENT_DB_NAME To use a custom instance of Microsoft SQL Server, use these parameters: /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT /MANAGEMENT_WEBSITE_NAME /MANAGEMENT_WEBSITE_PORT /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE /EXISTING_MANAGEMENT_DB_NAME Using a custom instance of Microsoft SQL Server example: /appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup” /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service” /MANAGEMENT_WEBSITE_PORT=”8080” /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME=”SqlServermachine.domainName” /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName” /EXISTING_MANAGEMENT_DB_NAME =”AppVManagement” To Install the Management database and the Management Server on the same computer. To use the default instance of Microsoft SQL Server, use the following parameters: /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT /MANAGEMENT_DB_NAME /MANAGEMENT_SERVER_MACHINE_USE_LOCAL /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT To use a custom instance of Microsoft SQL Server, use these parameters: /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE /MANAGEMENT_DB_NAME /MANAGEMENT_SERVER_MACHINE_USE_LOCAL /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT Using a custom instance of Microsoft SQL Server example: /appv_server_setup.exe /QUIET /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName” /MANAGEMENT_DB_NAME=”AppVManagement” /MANAGEMENT_SERVER_MACHINE_USE_LOCAL /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount” To install the Management database on a different computer than the Management server. To use the default instance of Microsoft SQL Server, use the following parameters: /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT /MANAGEMENT_DB_NAME /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT To use a custom instance of Microsoft SQL Server, use these parameters: /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE /MANAGEMENT_DB_NAME /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT Using a custom instance of Microsoft SQL Server example: /appv_server_setup.exe /QUIET /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName” /MANAGEMENT_DB_NAME=”AppVManagement” /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount” /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount” To Install the publishing server. To use the default instance of Microsoft SQL Server, use the following parameters: /PUBLISHING_SERVER /PUBLISHING_MGT_SERVER /PUBLISHING_WEBSITE_NAME /PUBLISHING_WEBSITE_PORT Using a custom instance of Microsoft SQL Server example: /appv_server_setup.exe /QUIET /PUBLISHING_SERVER /PUBLISHING_MGT_SERVER=”http://ManagementServerName:ManagementPort” /PUBLISHING_WEBSITE_NAME=”Microsoft AppV Publishing Service” /PUBLISHING_WEBSITE_PORT=”8081” To Install the Reporting server and Reporting database on a local machine. To use the default instance of Microsoft SQL Server, use the following parameters: /REPORTING _SERVER /REPORTING _WEBSITE_NAME /REPORTING _WEBSITE_PORT /DB_PREDEPLOY_REPORTING /REPORTING _DB_SQLINSTANCE_USE_DEFAULT /REPORTING _DB_NAME To use a custom instance of Microsoft SQL Server, use these parameters: /REPORTING _SERVER /REPORTING _ADMINACCOUNT /REPORTING _WEBSITE_NAME /REPORTING _WEBSITE_PORT /DB_PREDEPLOY_REPORTING /REPORTING _DB_CUSTOM_SQLINSTANCE /REPORTING _DB_NAME Using a custom instance of Microsoft SQL Server example: /appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service” /REPORTING_WEBSITE_PORT=”8082” /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName” /REPORTING_DB_NAME=”AppVReporting” To Install the Reporting server and using an existing Reporting database on a local machine. To use the default instance of Microsoft SQL Server, use the following parameters: /REPORTING _SERVER /REPORTING _WEBSITE_NAME /REPORTING _WEBSITE_PORT /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL /EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT /EXISTING_REPORTING _DB_NAME To use a custom instance of Microsoft SQL Server, use these parameters: /REPORTING _SERVER /REPORTING _ADMINACCOUNT /REPORTING _WEBSITE_NAME /REPORTING _WEBSITE_PORT /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE /EXISTING_REPORTING _DB_NAME Using a custom instance of Microsoft SQL Server example: /appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service” /REPORTING_WEBSITE_PORT=”8082” /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName” /EXITING_REPORTING_DB_NAME=”AppVReporting” To Install the Reporting server using an existing Reporting database on a remote machine. To use the default instance of Microsoft SQL Server, use the following parameters: /REPORTING _SERVER /REPORTING _WEBSITE_NAME /REPORTING _WEBSITE_PORT /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME /EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT /EXISTING_REPORTING _DB_NAME To use a custom instance of Microsoft SQL Server, use these parameters: /REPORTING _SERVER /REPORTING _ADMINACCOUNT /REPORTING _WEBSITE_NAME /REPORTING _WEBSITE_PORT /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE /EXISTING_REPORTING _DB_NAME Using a custom instance of Microsoft SQL Server example: /appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service” /REPORTING_WEBSITE_PORT=”8082” /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME=”SqlServerMachine.DomainName” /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName” /EXITING_REPORTING_DB_NAME=”AppVReporting” To install the Reporting database on the same computer as the Reporting server. To use the default instance of Microsoft SQL Server, use the following parameters: /DB_PREDEPLOY_REPORTING /REPORTING _DB_SQLINSTANCE_USE_DEFAULT /REPORTING _DB_NAME /REPORTING_SERVER_MACHINE_USE_LOCAL /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT To use a custom instance of Microsoft SQL Server, use these parameters: /DB_PREDEPLOY_REPORTING /REPORTING _DB_CUSTOM_SQLINSTANCE /REPORTING _DB_NAME /REPORTING_SERVER_MACHINE_USE_LOCAL /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT Using a custom instance of Microsoft SQL Server example: /appv_server_setup.exe /QUIET /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName” /REPORTING_DB_NAME=”AppVReporting” /REPORTING_SERVER_MACHINE_USE_LOCAL /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount” To install the Reporting database on a different computer than the Reporting server. To use the default instance of Microsoft SQL Server, use the following parameters: /DB_PREDEPLOY_REPORTING /REPORTING _DB_SQLINSTANCE_USE_DEFAULT /REPORTING _DB_NAME /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT To use a custom instance of Microsoft SQL Server, use these parameters: /DB_PREDEPLOY_REPORTING /REPORTING _DB_CUSTOM_SQLINSTANCE /REPORTING _DB_NAME /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT Using a custom instance of Microsoft SQL Server example: /appv_server_setup.exe /QUIET /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName” /REPORTING_DB_NAME=”AppVReporting” /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount” /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount” /QUIET Specifies silent install. /UNINSTALL Specifies an uninstall. /LAYOUT Specifies layout action. This extracts the MSIs and script files to a folder without actually installing the product. No value is expected. /LAYOUTDIR Specifies the layout directory. Takes a string. For example, /LAYOUTDIR=”C:\Application Virtualization Server” /INSTALLDIR Specifies the installation directory. Takes a string. E.g. /INSTALLDIR=”C:\Program Files\Application Virtualization\Server” /MUOPTIN Enables Microsoft Update. No value is expected /ACCEPTEULA Accepts the license agreement. This is required for an unattended installation. Example usage: /ACCEPTEULA or /ACCEPTEULA=1. /MANAGEMENT_SERVER Specifies that the management server will be installed. No value is expected /MANAGEMENT_ADMINACCOUNT Specifies the account that will be allowed to Administrator access to the management server This account can be an individual user account or a group. Example usage: /MANAGEMENT_ADMINACCOUNT=”mydomain\admin”. If /MANAGEMENT_SERVER is not specified, this will be ignored. Specifies the account that will be allowed to Administrator access to the management server. This can be a user account or a group. For example, /MANAGEMENT_ADMINACCOUNT="mydomain\admin". /MANAGEMENT_WEBSITE_NAME Specifies name of the website that will be created for the management service. For example, /MANAGEMENT_WEBSITE_NAME=”Microsoft App-V Management Service” MANAGEMENT_WEBSITE_PORT Specifies the port number that will be used by the management service will use. For example, /MANAGEMENT_WEBSITE_PORT=82. /DB_PREDEPLOY_MANAGEMENT Specifies that the management database will be installed. You must have sufficient database permissions to complete this installation. No value is expected /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT Indicates that the default SQL instance should be used. No value is expected. /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE Specifies the name of the custom SQL instance that should be used to create a new database. Example usage: /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”MYSQLSERVER”. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored. /MANAGEMENT_DB_NAME Specifies the name of the new management database that should be created. Example usage: /MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored. /MANAGEMENT_SERVER_MACHINE_USE_LOCAL Indicates if the management server that will be accessing the database is installed on the local server. Switch parameter so no value is expected. /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT Specifies the machine account of the remote machine that the management server will be installed on. Example usage: /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”domain\computername” /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT Indicates the Administrator account that will be used to install the management server. Example usage: /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT =”domain\alias” /PUBLISHING_SERVER Specifies that the Publishing Server will be installed. No value is expected /PUBLISHING_MGT_SERVER Specifies the URL to Management Service the Publishing server will connect to. Example usage: http://<management server name>:<Management server port number>. If /PUBLISHING_SERVER is not used, this parameter will be ignored /PUBLISHING_WEBSITE_NAME Specifies name of the website that will be created for the publishing service. For example, /PUBLISHING_WEBSITE_NAME=”Microsoft App-V Publishing Service” /PUBLISHING_WEBSITE_PORT Specifies the port number used by the publishing service. For example, /PUBLISHING_WEBSITE_PORT=83 /REPORTING_SERVER Specifies that the Reporting Server will be installed. No value is expected /REPORTING_WEBSITE_NAME Specifies name of the website that will be created for the Reporting Service. E.g. /REPORTING_WEBSITE_NAME="Microsoft App-V ReportingService" /REPORTING_WEBSITE_PORT Specifies the port number that the Reporting Service will use. E.g. /REPORTING_WEBSITE_PORT=82 /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL Indicates that the Microsoft SQL Server is installed on the local server. Switch parameter so no value is expected. /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_REPORTING_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1" /EXISTING_ REPORTING _DB_SQLINSTANCE_USE_DEFAULT Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. /EXISTING_ REPORTING_DB_CUSTOM_SQLINSTANCE Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /EXISTING_REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER" /EXISTING_ REPORTING _DB_NAME Specifies the name of the existing Reporting database that should be used. Takes a string. E.g. /EXISTING_REPORTING_DB_NAME="AppVReporting" /DB_PREDEPLOY_REPORTING Specifies that the Reporting Database will be installed. DBA permissions are required for this installation. No value is expected /REPORTING_DB_SQLINSTANCE_USE_DEFAULT Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER" /REPORTING_DB_NAME Specifies the name of the new Reporting database that should be created. Takes a string. E.g. /REPORTING_DB_NAME="AppVMgmtDB" /REPORTING_SERVER_MACHINE_USE_LOCAL Indicates that the Reporting server that will be accessing the database is installed on the local server. Switch parameter so no value is expected. /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT Specifies the machine account of the remote machine that the Reporting server will be installed on. Takes a string. E.g. /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT = "domain\computername" /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT Indicates the Administrator account that will be used to install the App-V Reporting Server. Takes a string. E.g. /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT = "domain\alias" /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL Indicates that the SQL Server is installed on the local server. Switch parameter so no value is expected.If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored. /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_MANAGEMENT_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1" /EXISTING_ MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored. /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE Specifies the name of the custom SQL instance that will be used. Example usage /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”AppVManagement”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored. /EXISTING_MANAGEMENT_DB_NAME Specifies the name of the existing management database that should be used. Example usage: /EXISTING_MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored. Got a suggestion for App-V? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). Management database ManagementDatabase subfolder Reporting database ReportingDatabase subfolder Example connection group XML document with optional packages: Example connection group XML document with optional packages: Office 365 ProPlus Microsoft 365 Apps for enterprise Also supported: Visio Pro for Office 365 unsupported version Tenant or user data are missingor other required prerequisites for device enrollment are not met Tenant or user data are missing or other required prerequisites for device enrollment are not met 302 unauthorized_client unauthorized user or tenant Required. Returns the device model name /SystemProductName as a string.
+Required. Returns the device model name /SystemProductName as a string.
- Supported operation is Get.
+Supported operation is Get.
**OEM**
- Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
+Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
- Supported operation is Get.
+Supported operation is Get.
**FwV**
- Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision.
+Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision.
- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
+For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
- Supported operation is Get.
+Supported operation is Get.
**SwV**
- Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
+Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
- Supported operation is Get.
+Supported operation is Get.
**HwV**
- Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision.
+Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision.
- For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
+For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
- Supported operation is Get.
+Supported operation is Get.
**LrgObj**
- Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
+Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
- Supported operation is Get.
+Supported operation is Get.
**URI/MaxDepth**
- Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0).
+Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0).
- Supported operation is Get.
+Supported operation is Get.
- This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
+This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
**URI/MaxTotLen**
- Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
+Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
- Supported operation is Get.
+Supported operation is Get.
- This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
+This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
**URI/MaxSegLen**
- Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
+Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
- Supported operation is Get.
+Supported operation is Get.
- This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
+This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
**Ext/Microsoft/MobileID**
- Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
+Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
- Supported operation is Get.
+Supported operation is Get.
- The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
-
-**Ext/Microsoft/LocalTime**
- Required. Returns the client local time in ISO 8601 format.
-
- Supported operation is Get.
-
-**Ext/Microsoft/OSPlatform**
- Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName.
-
- Supported operation is Get.
-
-**Ext/Microsoft/ProcessorType**
- Required. Returns the processor type of the device as documented in SYSTEM_INFO.
-
- Supported operation is Get.
+The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
**Ext/Microsoft/RadioSwV**
- Required. Returns the radio stack software version number.
+Required. Returns the radio stack software version number.
- Supported operation is Get.
+Supported operation is Get.
**Ext/Microsoft/Resolution**
- Required. Returns the UI screen resolution of the device (example: "480x800").
+Required. Returns the UI screen resolution of the device (example: "480x800").
- Supported operation is Get.
+Supported operation is Get.
**Ext/Microsoft/CommercializationOperator**
- Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
+Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
- Supported operation is Get.
+Supported operation is Get.
**Ext/Microsoft/ProcessorArchitecture**
- Required. Returns the processor architecture of the device as "arm" or "x86".
+Required. Returns the processor architecture of the device as "arm" or "x86".
- Supported operation is Get.
+Supported operation is Get.
+
+**Ext/Microsoft/ProcessorType**
+Required. Returns the processor type of the device as documented in SYSTEM_INFO.
+
+Supported operation is Get.
+
+**Ext/Microsoft/OSPlatform**
+Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName.
+
+Supported operation is Get.
+
+**Ext/Microsoft/LocalTime**
+Required. Returns the client local time in ISO 8601 format.
+
+Supported operation is Get.
**Ext/Microsoft/DeviceName**
- Required. Contains the user-specified device name.
+Required. Contains the user-specified device name.
- Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
+Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
- Value type is string.
+Value type is string.
- Supported operations are Get and Replace.
+Supported operations are Get and Replace.
+
+**Ext/Microsoft/DNSComputerName**
+Added in the next major release of Windows 10. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md).
+
+The following are the available naming macros:
+
+| Macro | Description | Example | Generated Name |
+| -------| -------| -------| -------|
+| %RAND:<# of digits> | Generates the specified number of random digits. | Test%RAND:6% | Test123456|
+| %SERIAL% | Generates the serial number derived from the device. If the serial number causes the new name to exceed the 63 character limit, the serial number will be truncated from the beginning of the sequence.| Test-Device-%SERIAL% | Test-Device-456|
+
+Value type is string. Supported operations are Get and Replace.
+
+> [!Note]
+> On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer"s` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
**Ext/Microsoft/TotalStorage**
- Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
+Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
- Supported operation is Get.
+Supported operation is Get.
> [!NOTE]
> This is only supported in Windows 10 Mobile.
**Ext/Microsoft/TotalRAM**
- Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
+Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
Supported operation is Get.
@@ -153,45 +168,45 @@ Added in Windows 10, version 1809. SMBIOS Serial Number of the device.
Value type is string. Supported operation is Get.
**Ext/WLANMACAddress**
- The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
+The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
- Supported operation is Get.
+Supported operation is Get.
> [!NOTE]
> This is not supported in Windows 10 for desktop editions.
**Ext/VoLTEServiceSetting**
- Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
+Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
- Supported operation is Get.
+Supported operation is Get.
**Ext/WlanIPv4Address**
- Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
+Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
- Supported operation is Get.
+Supported operation is Get.
**Ext/WlanIPv6Address**
- Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
- Supported operation is Get.
+Supported operation is Get.
**Ext/WlanDnsSuffix**
- Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
- Supported operation is Get.
+Supported operation is Get.
**Ext/WlanSubnetMask**
- Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
+Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
- Supported operation is Get.
+Supported operation is Get.
**Ext/DeviceHardwareData**
- Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
+Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!NOTE]
> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
- Supported operation is Get.
+Supported operation is Get.
## Related topics
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index b313ad3605..47df0219d5 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -21,7 +21,7 @@ This topic shows the OMA DM device description framework (DDF) for the **DevDeta
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1809.
+The XML below is the current version for this CSP.
```xml
@@ -488,6 +488,28 @@ The XML below is for Windows 10, version 1809.
+ The root node for the CSP.
+The root node for the CSP.
**Settings**
- The root node for the Windows Information Protection (WIP) configuration settings.
+The root node for the Windows Information Protection (WIP) configuration settings.
**Settings/EDPEnforcementLevel**
- Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
+Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
- The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Off / No protection (decrypts previously protected data).
- 1 – Silent mode (encrypt and audit only).
- 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
- 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
- Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/EnterpriseProtectedDomainNames**
- A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
+A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
- Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client.
+Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client.
-> **Note** The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
+> [!Note]
+> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
- Here are the steps to create canonical domain names:
+Here are the steps to create canonical domain names:
-1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com.
+1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com.
2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
- Supported operations are Add, Get, Replace and Delete. Value type is string.
+Supported operations are Add, Get, Replace, and Delete. Value type is string.
**Settings/AllowUserDecryption**
- Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences.
+Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences.
> [!IMPORTANT]
> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
- The following list shows the supported values:
+The following list shows the supported values:
- 0 – Not allowed.
- 1 (default) – Allowed.
- Most restricted value is 0.
+Most restricted value is 0.
- Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/RequireProtectionUnderLockConfig**
- Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy.
+Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy.
- The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Not required.
- 1 – Required.
- Most restricted value is 1.
+Most restricted value is 1.
- The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware.
+The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware.
-> **Note** This setting is only supported in Windows 10 Mobile.
+> [!Note]
+> This setting is only supported in Windows 10 Mobile.
- Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/DataRecoveryCertificate**
- Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through MDM instead of Group Policy.
+Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy.
-> **Note** If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced.
+> [!Note]
+> If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced.
- DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP.
+DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP.
The binary blob is the serialized version of following structure:
``` syntax
@@ -231,60 +234,59 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {
```
- For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate.
+For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate.
- Supported operations are Add, Get, Replace and Delete. Value type is base-64 encoded certificate.
+Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
**Settings/RevokeOnUnenroll**
- This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1.
+This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1.
- The following list shows the supported values:
+The following list shows the supported values:
- 0 – Don't revoke keys.
- 1 (default) – Revoke keys.
- Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/RevokeOnMDMHandoff**
- Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
+Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys
- 1 (default) - Revoke keys
- Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/RMSTemplateIDForEDP**
- TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access.
+TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access.
- Supported operations are Add, Get, Replace and Delete. Value type is string (GUID).
+Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID).
**Settings/AllowAzureRMSForEDP**
- Specifies whether to allow Azure RMS encryption for WIP.
+Specifies whether to allow Azure RMS encryption for WIP.
- 0 (default) – Don't use RMS.
- 1 – Use RMS.
- Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Settings/SMBAutoEncryptedFileExtensions**
- Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an SMB share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list.
- When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
- Supported operations are Add, Get, Replace and Delete. Value type is string.
+Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list.
+When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
+Supported operations are Add, Get, Replace and Delete. Value type is string.
**Settings/EDPShowIcons**
- Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
-
- The following list shows the supported values:
+Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
+The following list shows the supported values:
- 0 (default) - No WIP overlays on icons or tiles.
- 1 - Show WIP overlays on protected files and apps that can only create enterprise content.
- Supported operations are Add, Get, Replace and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
**Status**
- A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
+A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
- Suggested values:
+Suggested values:
Bit 0 indicates whether WIP is on or off.
+Bit 0 indicates whether WIP is on or off.
- Bit 1 indicates whether AppLocker WIP policies are set.
+Bit 1 indicates whether AppLocker WIP policies are set.
- Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero).
+Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero).
- Here's the list of mandatory WIP policies:
+Here's the list of mandatory WIP policies:
- EDPEnforcementLevel in EnterpriseDataProtection CSP
- DataRecoveryCertificate in EnterpriseDataProtection CSP
@@ -333,9 +335,9 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {
- NetworkIsolation/EnterpriseIPRange in Policy CSP
- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP
- Bits 2 and 4 are reserved for future use.
+Bits 2 and 4 are reserved for future use.
- Supported operation is Get. Value type is integer.
+Supported operation is Get. Value type is integer.
diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md
index 3e7c2b1693..8f00e3fe0b 100644
--- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md
+++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseExtFileSystem CSP
-description: EnterpriseExtFileSystem CSP
+description: Add, retrieve, or change files through the Mobile Device Management (MDM) service using the EnterpriseExtFileSystem CSP.
ms.assetid: F773AD72-A800-481A-A9E2-899BA56F4426
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
index 99150bef80..f7544b10a4 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
@@ -1,6 +1,6 @@
---
title: EnterpriseModernAppManagement XSD
-description: Here is the XSD for the application parameters.
+description: Use the EnterpriseModernAppManagement XSD for set application parameters.
ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index b8f27a73dc..1fae08c646 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -1,6 +1,6 @@
---
title: Firewall CSP
-description: Firewall CSP
+description: The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md
index 772d402b87..87699a8b11 100644
--- a/windows/client-management/mdm/get-offline-license.md
+++ b/windows/client-management/mdm/get-offline-license.md
@@ -1,6 +1,6 @@
---
title: Get offline license
-description: The Get offline license operation retrieves the offline license information of a product from the Micosoft Store for Business.
+description: The Get offline license operation retrieves the offline license information of a product from the Microsoft Store for Business.
ms.assetid: 08DAD813-CF4D-42D6-A783-994A03AEE051
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get offline license
-The **Get offline license** operation retrieves the offline license information of a product from the Micosoft Store for Business.
+The **Get offline license** operation retrieves the offline license information of a product from the Microsoft Store for Business.
## Request
diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md
index 394b64e58c..5ad2851bc5 100644
--- a/windows/client-management/mdm/get-product-packages.md
+++ b/windows/client-management/mdm/get-product-packages.md
@@ -1,6 +1,6 @@
---
title: Get product packages
-description: The Get product packages operation retrieves the information about applications in the Micosoft Store for Business.
+description: The Get product packages operation retrieves the information about applications in the Microsoft Store for Business.
ms.assetid: 039468BF-B9EE-4E1C-810C-9ACDD55C0835
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get product packages
-The **Get product packages** operation retrieves the information about applications in the Micosoft Store for Business.
+The **Get product packages** operation retrieves the information about applications in the Microsoft Store for Business.
## Request
diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md
index 21d8f631c1..a510b2460c 100644
--- a/windows/client-management/mdm/get-seats.md
+++ b/windows/client-management/mdm/get-seats.md
@@ -1,6 +1,6 @@
---
title: Get seats
-description: The Get seats operation retrieves the information about active seats in the Micosoft Store for Business.
+description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business.
ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get seats
-The **Get seats** operation retrieves the information about active seats in the Micosoft Store for Business.
+The **Get seats** operation retrieves the information about active seats in the Microsoft Store for Business.
## Request
diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png
index 6926801241..6ece851369 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 254c91259b..57d1c57718 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -151,13 +151,13 @@ We have updated Skype for Business to work with MAM. The following table explain
Visio Pro for Office 365 Project Desktop Client Office 365 Business (the version of Office that comes with some Office 365 plans, such as Business Premium.) Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.) Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. Added new policies. Added a new section: This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index a55e6716ff..c5e74893fc 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -1025,6 +1025,7 @@ To validate on Desktop, do the following:
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
+> * User
> * Device
The supported operations are Get, Add, Replace, and Delete. The supported data type is "String". This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
Example to configure: 2018-10-25T18:00:00 The supported operations are Get, Add, Replace, and Delete. The supported data type is "String". For example: If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work. If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. |
-|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip) If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.|
+|**Software** |**Minimum version** |
+|---------|---------|
+|Client operating system | Desktop: **Note** **In Windows 10, version 1511** **In Windows 10, version 1607 and later** **In Windows 10, version 1511** **In Windows 10, version 1607 and later** Use this setting if you only want to support Azure AD in your organization.|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required. **Note** **In Windows 10 Pro edition** **In Windows 10 Enterprise edition** **Important** Additionally, if you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page.
+:::image type="content" source="../../../images/screenshot6.png" alt-text="Screenshot: Cortana set a reminder":::
-## Create a reminder for a specific location
-This process helps you to create a reminder based on a specific location.
+:::image type="content" source="../../../images/screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page":::
-1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
-
-2. Click the **+** sign, add a subject for your reminder, such as _Remember to file expense report receipts_, and then click **Place**.
-
- 
-
-3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
-
- 
-
-4. Click **Done**.
-
- >[!NOTE]
- >If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the **Favorites list** in Windows Maps.
-
-5. Choose to be reminded the **Next time you arrive at the location** or on a specific day of the week from the drop-down box.
-
-6. Take a picture of your receipts and store them locally on your device.
-
-7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**.
-
- The photo is stored with the reminder.
-
- 
-
-8. Review the reminder info, and then click **Remind**.
-
- The reminder is saved and ready to be triggered.
-
- 
-
-## Create a reminder for a specific location by using voice commands
-This process helps you to use Cortana at work and voice commands to create a reminder for a specific location.
-
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
-
-2. Say _Remind me to grab my expense report receipts before I leave home_.
-
- Cortana opens a new reminder task and asks if it sounds good.
-
- 
-
-3. Say _Yes_ so Cortana can save the reminder.
-
- 
-
-## Edit or archive an existing reminder
-This process helps you to edit or archive and existing or completed reminder.
-
-1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
-
- 
-
-2. Click the pending reminder you want to edit.
-
- 
-
-3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click **Save** to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index 4ea208fcfd..ec22777755 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -12,42 +12,16 @@ ms.reviewer:
manager: dansimp
---
-# Test scenario 4 - Use Cortana at work to find your upcoming meetings
+# Test scenario 4 - Use Cortana to find free time on your calendar
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
+This process helps you find out if a time slot is free on your calendar.
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally.
-
->[!NOTE]
->If you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page.
-
-## Find out about upcoming meetings
-This process helps you find your upcoming meetings.
-
-1. Check to make sure your work calendar is connected and synchronized with your Azure AD account.
+1. Select the **Cortana** icon in the taskbar.
2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-3. Type _Show me my meetings for tomorrow_.
-
- You’ll see all your meetings scheduled for the next day.
-
- 
-
-## Find out about upcoming meetings by using voice commands
-This process helps you to use Cortana at work and voice commands to find your upcoming meetings.
-
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
-
-2. Say _Show me what meeting I have at 3pm tomorrow_.
-
- >[!IMPORTANT]
- >Make sure that you have a meeting scheduled for the time you specify here.
-
- 
+3. Type **Am I free at 3 PM tomorrow?**
+Cortana will respond with your availability for that time, as well as nearby meetings.
+:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar":::
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index f5efc05577..ee0bbe9a6e 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -12,48 +12,14 @@ ms.reviewer:
manager: dansimp
---
-# Test scenario 5 - Use Cortana to send email to a co-worker
+# Test scenario 5 - Test scenario 5 – Find out about a person
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
+Cortana can help you quickly look up information about someone or the org chart.
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+1. Select the **Cortana** icon in the taskbar.
-This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally.
+2. Type or select the mic and say, **Who is name of person in your organization's?**
-## Send an email to a co-worker
-This process helps you to send a quick message to a co-worker from the work address book.
+:::image type="content" source="../../../images/screenshot8.png" alt-text="Screenshot: Cortana showing name of person in your organization":::
-1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account.
-
-2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
-3. Type _Send an email to <contact_name>_.
-
- Where _<contact_name>_ is the name of someone in your work address book.
-
-4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**.
-
- 
-
-## Send an email to a co-worker by using voice commands
-This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book.
-
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
-
-2. Say _Send an email to <contact_name>_.
-
- Where _<contact_name>_ is the name of someone in your work address book.
-
-3. Add your email message by saying, _Hello this is a test email using Cortana at work._
-
- The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**.
-
- 
-
-4. Say _Send it_.
-
- The email is sent.
-
- 
+Cortana will respond with information about the person. You can select the person to open information about them in Microsoft Search.
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index f5ffb003b7..739f5afbfd 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -12,38 +12,14 @@ ms.reviewer:
manager: dansimp
---
-# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
+# Test scenario 6 – Change your language and perform a quick search with Cortana
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
+Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location or another.
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement).
+1. Select the **Cortana** icon in the taskbar.
-Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, _I’ll get this to you by the end of the week_ in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it.
+2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You will be prompted to restart the app.
->[!NOTE]
->The Suggested reminders feature is currently only available in English (en-us).
-
-**To use Cortana to create Suggested reminders for you**
-
-1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md).
-
-2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**.
-
-3. Make sure the **Contacts, email, calendar, and communication history** option is turned on.
-
- 
-
-4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**.
-
- 
-
-5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, _I’ll finish this project by end of day today_.
-
-6. After you get the email, click on the Cortana **Home** icon, and scroll to today’s events.
-
- If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed.
-
- 
+3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**.
+:::image type="content" source="../../../images/screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
index a00867e25b..c10a722ceb 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@@ -14,9 +14,6 @@ manager: dansimp
# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
-
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
index 936f8b5788..9ab3b96e22 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@@ -13,26 +13,19 @@ manager: dansimp
---
# Testing scenarios using Cortana in your business or organization
-**Applies to:**
-
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
-- [Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana](cortana-at-work-scenario-1.md)
+- [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
-- [Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
+- [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md)
-- [Set a reminder and have it remind you when you’ve reached a specific location](cortana-at-work-scenario-3.md)
+- [Set a reminder](cortana-at-work-scenario-3.md)
-- [Search for your upcoming meetings on your work calendar](cortana-at-work-scenario-4.md)
+- [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md)
-- [Send an email to a co-worker from your work email app](cortana-at-work-scenario-5.md)
+- [Find out about a person](cortana-at-work-scenario-5.md)
-- [Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md)
+- [Change your language and perform a quick search with Cortana](cortana-at-work-scenario-6.md)
-- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md)
-
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md)
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index 9ae00ff891..1425bcd323 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -13,15 +13,11 @@ manager: dansimp
---
# Set up and test custom voice commands in Cortana for your organization
-**Applies to:**
-
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
-
-Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
>[!NOTE]
->For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted).
+>This content applies to Cortana in versions 1909 and earlier, but will not be available in future releases.
+
+Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
## High-level process
Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent.
diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
new file mode 100644
index 0000000000..c1b71aa782
--- /dev/null
+++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
@@ -0,0 +1,49 @@
+---
+title: Set up and test Cortana in Windows 10, version 2004 and later
+ms.reviewer:
+manager: dansimp
+description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: kwekua
+ms.localizationpriority: medium
+ms.author: dansimp
+---
+
+# Set up and test Cortana in Windows 10, version 2004 and later
+
+## Before you begin
+
+- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you will need to re-enable it at least for Windows 10, version 2004 and later.
+- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you will need to [enable updates through the Microsoft Store](https://docs.microsoft.com/windows/configuration/stop-employees-from-using-microsoft-store).
+
+## Set up and configure the Bing Answers feature
+Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as "What's the current weather?" or "Who is the president of the U.S.?," and get a response, based on public results from Bing.com.
+
+The above experience is powered by Microsoft Bing, and Cortana sends the user queries to Bing. The use of Microsoft Bing is governed by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) and [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement).
+
+## Configure the Bing Answers feature
+
+Admins can configure the Cortana in Windows Bing Answers feature for their organizations. As the admin, use the following steps to change the setting for Bing Answers at the tenant/security group level. This setting is enabled by default, so that all users who have Cortana enabled will be able to receive Bing Answers. By default, the Bing Answer feature will be available to your users.
+
+Users cannot enable or disable the Bing Answer feature individually. So, if you disable this feature at the tenant/security group level, no users in your organization or specific security group will be able to use Bing Answers in Cortana in Windows.
+
+Sign in to the [Office Configuration Admin tool](https://config.office.com/).
+
+Follow the steps [here](https://docs.microsoft.com/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below:
+
+:::image type="content" source="../../../images/screenshot3.png" alt-text="Screenshot: Bing policy example":::
+
+## How does Microsoft handle customer data for Bing Answers?
+
+When a user enters a search query (by speech or text), Cortana evaluates if the request is for any of our first-party compliant skills if enabled in a specific market, and does the following:
+
+1. If it is for any of the first-party compliant skills, the query is sent to that skill, and results/action are returned.
+
+2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic.
+
+Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users/user groups in their organization.
+
+## How the Bing Answer policy configuration is applied
+Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md
new file mode 100644
index 0000000000..27402c3b61
--- /dev/null
+++ b/windows/configuration/cortana-at-work/test-scenario-1.md
@@ -0,0 +1,46 @@
+---
+title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook
+description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: dansimp
+ms.localizationpriority: medium
+ms.author: dansimp
+ms.date: 10/05/2017
+ms.reviewer:
+manager: dansimp
+---
+
+# Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook
+
+This scenario turns on Azure AD and lets your employee use Cortana to manage an entry in the notebook.
+
+## Sign in with your work or school account
+
+This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account.
+
+1. Click on the **Cortana** icon in the taskbar, then click the profile picture in the navigation to open Cortana settings.
+
+2. Click your email address.
+
+A dialog box appears, showing the associated account info.
+
+3. Click **Sign out** under your email address.
+
+This signs out the Microsoft account, letting you continue to add your work or school account.
+
+4. Open Cortana again and select the **Sign in** glyph in the left rail and follow the instructions to sign in with your work or school account.
+
+## Use Cortana to manage the notebook content
+
+This process helps you to manage the content Cortana shows in your Notebook.
+
+1. Select the **Cortana** icon in the taskbar, click **Notebook**, select **Manage Skills.** Scroll down and click **Weather**.
+
+2. In the **Weather** settings, scroll down to the **Cities you're tracking** area, and then click **Add a city**.
+
+3. Add **Redmond, Washington**.
+
+> [!IMPORTANT]
+> The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md
new file mode 100644
index 0000000000..caf24e5f85
--- /dev/null
+++ b/windows/configuration/cortana-at-work/test-scenario-2.md
@@ -0,0 +1,38 @@
+---
+title: Test scenario 2 - Perform a quick search with Cortana at work
+description: A test scenario about how to perform a quick search with Cortana at work.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: dansimp
+ms.localizationpriority: medium
+ms.author: dansimp
+ms.date: 10/05/2017
+ms.reviewer:
+manager: dansimp
+---
+
+# Test scenario 2 – Perform a quick search with Cortana at work
+
+>[!Important]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you perform a quick search using Cortana, both by typing and through voice commands.
+
+## Search using Cortana
+
+1. Click on the Cortana icon in the taskbar, and then click in the Search bar.
+
+2. Type **Type Weather in New York**.
+
+You should see the weather in New York, New York at the top of the search results.
+Insert screenshot
+
+## Search with Cortana, by using voice commands
+
+This process helps you to use Cortana at work and voice commands to perform a quick search.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box).
+
+2. Say **What's the weather in Chicago?** Cortana tells you and shows you the current weather in Chicago.
+Insert screenshot
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md
new file mode 100644
index 0000000000..e348a1cee9
--- /dev/null
+++ b/windows/configuration/cortana-at-work/test-scenario-3.md
@@ -0,0 +1,79 @@
+---
+title: Test scenario 3 - Set a reminder for a specific location using Cortana at work
+description: A test scenario about how to set up, review, and edit a reminder based on a location.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: dansimp
+ms.localizationpriority: medium
+ms.author: dansimp
+ms.date: 10/05/2017
+ms.reviewer:
+manager: dansimp
+---
+
+# Test scenario 3 - Set a reminder for a specific location using Cortana at work
+
+>[!Important]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house.
+
+>[!Note]
+>You can set each reminder location individually as you create the reminders, or you can go into the About me screen and add both Work and Home addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario.
+
+Additionally, if you’ve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you’ll also see your pending reminders on the Cortana Home page.
+
+## Create a reminder for a specific location
+
+This process helps you to create a reminder based on a specific location.
+
+1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
+
+2. Click the **+** sign, add a subject for your reminder, such as **Remember to file expense report receipts**, and then click **Place**.
+
+3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
+
+4. Click **Done**.
+
+>[!Note]
+>If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the Favorites list in Windows Maps.
+
+5. Choose to be reminded the Next time you arrive at the location or on a specific day of the week from the drop-down box.
+
+6. Take a picture of your receipts and store them locally on your device.
+
+7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**.
+
+The photo is stored with the reminder.
+
+Insert screenshot 6
+
+8. Review the reminder info, and then click **Remind**.
+
+The reminder is saved and ready to be triggered.
+Insert screenshot
+
+## Create a reminder for a specific location by using voice commands
+
+This process helps you to use Cortana at work and voice commands to create a reminder for a specific location.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone* icon (to the right of the Search box).
+
+2. Say **Remind me to grab my expense report receipts before I leave home**.
+
+Cortana opens a new reminder task and asks if it sounds good.
+insert screenshot
+
+3. Say **Yes** so Cortana can save the reminder.
+insert screenshot
+
+## Edit or archive an existing reminder
+
+This process helps you to edit or archive and existing or completed reminder.
+
+1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
+
+2. Click the pending reminder you want to edit.
+
+3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click Save to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md
new file mode 100644
index 0000000000..a0ea0e6332
--- /dev/null
+++ b/windows/configuration/cortana-at-work/test-scenario-4.md
@@ -0,0 +1,52 @@
+---
+title: Use Cortana at work to find your upcoming meetings (Windows 10)
+description: A test scenario about how to use Cortana at work to find your upcoming meetings.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: dansimp
+ms.localizationpriority: medium
+ms.author: dansimp
+ms.date: 10/05/2017
+ms.reviewer:
+manager: dansimp
+---
+
+# Test scenario 4 - Use Cortana at work to find your upcoming meetings
+
+>[!Important]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally.
+
+>[!Note]
+>If you’ve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you’ll also see your pending reminders on the Cortana Home page.
+
+## Find out about upcoming meetings
+
+This process helps you find your upcoming meetings.
+
+1. Check to make sure your work calendar is connected and synchronized with your Azure AD account.
+
+2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+3. Type **Show me my meetings for tomorrow**.
+
+You’ll see all your meetings scheduled for the next day.
+
+Cortana at work, showing all upcoming meetings
+screenshot
+
+## Find out about upcoming meetings by using voice commands
+
+This process helps you to use Cortana at work and voice commands to find your upcoming meetings.
+
+1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box.
+
+2. Say **Show me what meeting I have at 3pm tomorrow**.
+
+>[!Important]
+>Make sure that you have a meeting scheduled for the time you specify here.
+
+Cortana at work, showing the meeting scheduled for 3pm
+screenshot
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md
new file mode 100644
index 0000000000..ec1cb06e32
--- /dev/null
+++ b/windows/configuration/cortana-at-work/test-scenario-5.md
@@ -0,0 +1,61 @@
+---
+title: Use Cortana to send email to a co-worker (Windows 10)
+description: A test scenario about how to use Cortana at work to send email to a co-worker.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: dansimp
+ms.localizationpriority: medium
+ms.author: dansimp
+ms.date: 10/05/2017
+ms.reviewer:
+manager: dansimp
+---
+
+# Test scenario 5 - Use Cortana to send email to a co-worker
+
+>[!Important]
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+
+This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally.
+
+## Send email to a co-worker
+
+This process helps you to send a quick message to a co-worker from the work address book.
+
+1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account.
+
+2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
+
+3. Type **Send an email to Understand the different ways that Windows 10 can be deployed Update Windows 10 in the enterprise Null Page Caller Check Simulate Execution Flow Stack Pivot Deep Hooks (an ROP “Advanced Mitigation”) Anti Detours (an ROP “Advanced Mitigation”) Banned Functions (an ROP “Advanced Mitigation”) Deep Hooks (an ROP "Advanced Mitigation") Anti Detours (an ROP "Advanced Mitigation") Banned Functions (an ROP "Advanced Mitigation") [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) [1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) [1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) [1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017 August 2017 October 2016 January 2016 January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| ---- | ----- | --------------------- | -------------- |
+| Windows 10 | [1809 (October 2018)](https://docs.microsoft.com/archive/blogs/secguide/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019)
Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center.
-**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?**
-A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions.
-
-**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?**
+**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?**
+A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions.
+
+**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?**
A. You only need to change your settings if:
-- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation.
+- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation.
-and-
-- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed.
+- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed.
-and-
@@ -112,10 +112,10 @@ If these scenarios apply to your company, see [Internet Explorer 11 delivery thr
## Additional resources
-- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
+- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
-- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
+- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
-- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
+- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
-- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index)
+- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index)
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 3187f8b507..29b8c0ceca 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -14,12 +14,12 @@ manager: dansimp
# Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
-The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
+The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
->[!IMPORTANT]
->Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
+> [!IMPORTANT]
+> Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
## Included technology
@@ -41,7 +41,7 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1
## Related topics
- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
-- [Download IEAK 11](ieak-information-and-downloads.md)
+- [Download IEAK 11](ieak-information-and-downloads.md)
- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index 296dec1688..ea1f1cb9e1 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -6,7 +6,7 @@ author: dansimp
ms.author: dansimp
ms.prod: ie11
ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15
-ms.reviewer:
+ms.reviewer:
audience: itpro
manager: dansimp
title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
@@ -21,8 +21,8 @@ In addition to the Software License Terms for the Internet Explorer Administrati
During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
- >[!IMPORTANT]
- >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
+ > [!IMPORTANT]
+ > Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
@@ -64,10 +64,10 @@ During installation, you must pick a version of IEAK 11, either **External** or
Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-- **External Distribution**
+- **External Distribution**
This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers).
-- **Internal Distribution**
+- **Internal Distribution**
This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet.
The table below identifies which customizations you may or may not perform based on the mode you selected.
@@ -100,8 +100,8 @@ Support for some of the Internet Explorer settings on the wizard pages varies de
Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-- **External Distribution**
+- **External Distribution**
You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy).
-- **Internal Distribution - corporate intranet**
+- **Internal Distribution - corporate intranet**
The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.
diff --git a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md
index 0031c6792e..7adcb24c17 100644
--- a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md
+++ b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md
@@ -9,7 +9,7 @@ ms.reviewer: ramakoni, DEV_Triage
ms.prod: internet-explorer
ms.technology:
ms.topic: kb-support
-ms.custom: CI=111020
+ms.custom: CI=111026
ms.localizationpriority: Normal
# localization_priority: medium
# ms.translationtype: MT
@@ -71,10 +71,18 @@ The batch file offers the following options:
**Contents of the batch file**
-```console
+```dos
@echo off
-:: AxelR Test Batch
-:: tested on Windows 8 + IE10, Windows7 + IE9
+# This sample script is not supported under any Microsoft standard support program or service.
+# The sample script is provided AS IS without warranty of any kind. Microsoft further disclaims
+# all implied warranties including, without limitation, any implied warranties of merchantability
+# or of fitness for a particular purpose. The entire risk arising out of the use or performance of
+# the sample scripts and documentation remains with you. In no event shall Microsoft, its authors,
+# or anyone else involved in the creation, production, or delivery of the scripts be liable for any
+# damages whatsoever (including, without limitation, damages for loss of business profits, business
+# interruption, loss of business information, or other pecuniary loss) arising out of the use of or
+# inability to use the sample scripts or documentation, even if Microsoft has been advised of the
+# possibility of such damages
:home
cls
@@ -83,55 +91,33 @@ echo Delete IE History
echo Please select the task you wish to run.
echo Pick one:
echo.
-echo 1. Delete Non-trusted web History(low level hidden clean up)
-echo 2. Delete History
-echo 3. Delete Cookies
-echo 4. Delete Temporary Internet Files
-echo 5. Delete Form Data
-echo 6. Delete Stored Passwords
-echo 7. Delete All
-echo 8. Delete All "Also delete files and settings stored by add-ons"
-echo 9. Delete IE10 and 9 Temporary Internet Files
-echo 10. Reset IE Settings
-echo 77. EXIT
+echo 1. Delete History
+echo 2. Delete Cookies
+echo 3. Delete Temporary Internet Files
+echo 4. Delete Form Data
+echo 5. Delete Stored Passwords
+echo 6. Delete All
+echo 7. Delete All "Also delete files and settings stored by add-ons"
+echo 8. Delete IE10 and 9 Temporary Internet Files
+echo 9. Reset IE Settings
+echo 00. EXIT
:choice
Echo Hit a number [1-10] and press enter.
set /P CH=[1-10]
-if "%CH%"=="1" set x=del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah
-if "%CH%"=="2" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
-if "%CH%"=="3" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
-if "%CH%"=="4" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
-if "%CH%"=="5" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16
-if "%CH%"=="6" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32
-if "%CH%"=="7" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
-if "%CH%"=="8" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
-if "%CH%"=="9" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9
-if "%CH%"=="10" set x=rundll32.exe inetcpl.cpl ResetIEtoDefaults
-if "%CH%"=="77" goto quit
+if "%CH%"=="1" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
+if "%CH%"=="2" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
+if "%CH%"=="3" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
+if "%CH%"=="4" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16
+if "%CH%"=="5" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32
+if "%CH%"=="6" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
+if "%CH%"=="7" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
+if "%CH%"=="8" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9
+if "%CH%"=="9" set x=rundll32.exe inetcpl.cpl ResetIEtoDefaults
+if "%CH%"=="00" goto quit
%x%
-goto Home
-
-::Temporary Internet Files > Delete files - To delete copies of web pages, images, and media
-::that are saved for faster viewing.
-::Cookies > Delete cookies - To delete cookies, which are files that are stored on your computer by
-::websites to save preferences such as login information.
-::History > Delete history - To delete the history of the websites you have visited.
-::Form data > Delete forms - To delete all the saved information that you have typed into
-::forms.
-::Passwords > Delete passwords - To delete all the passwords that are automatically filled in
-::when you log on to a website that you've previously visited.
-::Delete all - To delete all of these listed items in one operation.
-
-::enter below in search/run to see Low history dir if exists
-::C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low
-
-::Delete all low (untrusted history) very hidden
-::this will clean any unlocked files under the dir and not delete the dir structure
-::del /s /q low\* /ah ::del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah
-
goto Home
:quit
```
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index e8e96c7881..cb44c5b311 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -5,6 +5,7 @@
## [Get your HoloLens 2 ready to use](hololens2-setup.md)
## [Set up your HoloLens 2](hololens2-start.md)
## [HoloLens 2 fit and comfort FAQ](hololens2-fit-comfort-faq.md)
+## [HoloLens 2 cleaning FAQ](hololens2-maintenance.md)
## [Supported languages for HoloLens 2](hololens2-language-support.md)
## [Getting around HoloLens 2](hololens2-basic-usage.md)
@@ -15,6 +16,7 @@
## [HoloLens (1st gen) fit and comfort FAQ](hololens1-fit-comfort-faq.md)
## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md)
## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md)
+## [HoloLens (1st Gen) release notes](hololens1-release-notes.md)
# Deploy HoloLens and mixed reality apps in commercial environments
## [Commercial features](hololens-commercial-features.md)
@@ -36,10 +38,9 @@
# Manage users and access
## [Manage user identity and sign-in for HoloLens](hololens-identity.md)
## [Share your HoloLens with multiple people](hololens-multiple-users.md)
-## [Set up HoloLens as a kiosk for specific applications](hololens-kiosk.md)
+## [Set up HoloLens as a kiosk](hololens-kiosk.md)
# Holographic applications
-## [Use 3D Viewer on HoloLens](holographic-3d-viewer-beta.md)
## [Find, install, and uninstall applications](holographic-store-apps.md)
## [Manage custom apps for HoloLens](holographic-custom-apps.md)
@@ -58,14 +59,18 @@
## [Update HoloLens](hololens-update-hololens.md)
## [Restart, reset, or recover HoloLens](hololens-recovery.md)
## [Troubleshoot HoloLens issues](hololens-troubleshooting.md)
+## [Collect diagnostic information from HoloLens devices](hololens-diagnostic-logs.md)
## [Known issues for HoloLens](hololens-known-issues.md)
## [Frequently asked questions](hololens-faq.md)
## [Frequently asked security questions](hololens-faq-security.md)
## [Status of the HoloLens services](hololens-status.md)
-## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb)
-## [SCEP whitepaper](scep-whitepaper.md)
+## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f)
-# [HoloLens release notes](hololens-release-notes.md)
+# Resources
+## [Use 3D Viewer on HoloLens (1st gen)](holographic-3d-viewer-beta.md)
+## [Windows Autopilot for HoloLens 2 evaluation guide](hololens2-autopilot.md)
+
+# [HoloLens 2 release notes](hololens-release-notes.md)
# [Give us feedback](hololens-feedback.md)
# [Insider preview for Microsoft HoloLens](hololens-insider.md)
# [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 4b3449e838..9a1b48b3eb 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -1,7 +1,7 @@
---
title: Change history for Microsoft HoloLens documentation
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: This topic lists new and updated topics for HoloLens.
keywords: change history
ms.prod: hololens
diff --git a/devices/hololens/holographic-3d-viewer-beta.md b/devices/hololens/holographic-3d-viewer-beta.md
index 0973813221..dd46dd8371 100644
--- a/devices/hololens/holographic-3d-viewer-beta.md
+++ b/devices/hololens/holographic-3d-viewer-beta.md
@@ -1,6 +1,6 @@
---
-title: Using 3D Viewer on HoloLens
-description: Describes the types of files and features that 3D Viewer Beta on HoloLens supports, and how to use and troubleshoot the app.
+title: Using 3D Viewer on HoloLens (1st gen)
+description: Describes the types of files and features that 3D Viewer on HoloLens (1st gen) supports, and how to use and troubleshoot the app.
ms.prod: hololens
ms.sitesec: library
author: Teresa-Motiv
@@ -15,15 +15,18 @@ appliesto:
- HoloLens (1st gen)
---
-# Using 3D Viewer on HoloLens
+# Using 3D Viewer on HoloLens (1st gen)
-3D Viewer lets you view 3D models on HoloLens. You can open and view *supported* .fbx files from Microsoft Edge, OneDrive, and other apps.
+3D Viewer lets you view 3D models on HoloLens (1st gen). You can open and view *supported* .fbx files from Microsoft Edge, OneDrive, and other apps.
+
+>[!NOTE]
+>This article applies to the immersive Unity **3D Viewer** app, which supports .fbx files and is only available on HoloLens (1st gen). The pre-installed **3D Viewer** app on HoloLens 2 supports opening custom .glb 3D models in the mixed reality home (see [Asset requirements overview](https://docs.microsoft.com/windows/mixed-reality/creating-3d-models-for-use-in-the-windows-mixed-reality-home#asset-requirements-overview) for more details.
If you're having trouble opening a 3D model in 3D Viewer, or certain features of your 3D model are unsupported, see [Supported content specifications](#supported-content-specifications).
-To build or optimize 3D models for use with 3D Viewer, see [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer-beta).
+To build or optimize 3D models for use with 3D Viewer, see [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer).
-There are two ways to open a 3D model on HoloLens. See [Viewing 3D models on HoloLens](#viewing-3d-models-on-hololens) to learn more.
+There are two ways to open a 3D model on HoloLens. See [Viewing FBX files on HoloLens](#viewing-fbx-files-on-hololens) to learn more.
If you're having trouble after reading these topics, see [Troubleshooting](#troubleshooting).
@@ -83,14 +86,14 @@ If you're having trouble after reading these topics, see [Troubleshooting](#trou
### File and model limitations
-There are hard limits on the size of files, as well as the number of models, vertices, and meshes that can be open simultaneously in 3D Viewer Beta:
+There are hard limits on the size of files, as well as the number of models, vertices, and meshes that can be open simultaneously in 3D Viewer:
- 500 MB maximum file size per model
- Vertices: 600,000 combined on all open models
- Meshes: 1,600 combined on all open models
- Maximum of 40 models open at one time
-## Optimizing 3D models for 3D Viewer Beta
+## Optimizing 3D models for 3D Viewer
### Special considerations
@@ -100,9 +103,9 @@ There are hard limits on the size of files, as well as the number of models, ver
### Performance optimization
-Keep performance in mind while authoring content and validate in the 3D Viewer Beta app on HoloLens during the authoring process for best results. 3D Viewer Beta renders content real-time and performance is subject to HoloLens hardware capabilities.
+Keep performance in mind while authoring content and validate in the 3D Viewer app on HoloLens during the authoring process for best results. 3D Viewer renders content real-time and performance is subject to HoloLens hardware capabilities.
-There are many variables in a 3D model that can impact performance. 3D Viewer Beta will show a warning on load if there are more than 150,000 vertices or more than 400 meshes. Animations can have an impact on the performance of other open models. There are also hard limits on the total number models, vertices, and meshes that can be open simultaneously in 3D Viewer Beta (see [File and model limitations](#file-and-model-limitations)).
+There are many variables in a 3D model that can impact performance. 3D Viewer will show a warning on load if there are more than 150,000 vertices or more than 400 meshes. Animations can have an impact on the performance of other open models. There are also hard limits on the total number models, vertices, and meshes that can be open simultaneously in 3D Viewer (see [File and model limitations](#file-and-model-limitations)).
If the 3D model isn't running well due to model complexity, consider:
@@ -110,19 +113,19 @@ If the 3D model isn't running well due to model complexity, consider:
- Reducing number of bones in rigged animation
- Avoiding self-occlusion
-Double-sided rendering is supported in 3D Viewer Beta, although it is turned off by default for performance reasons. This can be turned on via the **Double Sided** button on the **Details** page. For best performance, avoid the need for double-sided rendering in your content.
+Double-sided rendering is supported in 3D Viewer, although it is turned off by default for performance reasons. This can be turned on via the **Double Sided** button on the **Details** page. For best performance, avoid the need for double-sided rendering in your content.
### Validating your 3D model
-Validate your model by opening it in 3D Viewer Beta on HoloLens. Select the **Details** button to view your model's characteristics and warnings of unsupported content (if present).
+Validate your model by opening it in 3D Viewer on HoloLens. Select the **Details** button to view your model's characteristics and warnings of unsupported content (if present).
### Rendering 3D models with true-to-life dimensions
-By default, 3D Viewer Beta displays 3D models at a comfortable size and position relative to the user. However, if rendering a 3D model with true-to-life measurements is important (for example, when evaluating furniture models in a room), the content creator can set a flag within the file's metadata to prevent resizing of that model by both the application and the user.
+By default, 3D Viewer displays 3D models at a comfortable size and position relative to the user. However, if rendering a 3D model with true-to-life measurements is important (for example, when evaluating furniture models in a room), the content creator can set a flag within the file's metadata to prevent resizing of that model by both the application and the user.
-To prevent scaling of the model, add a Boolean custom attribute to any object in the scene named Microsoft_DisableScale and set it to true. 3D Viewer Beta will then respect the FbxSystemUnit information baked into the FBX file. Scale in 3D Viewer Beta is 1 meter per FBX unit.
+To prevent scaling of the model, add a Boolean custom attribute to any object in the scene named Microsoft_DisableScale and set it to true. 3D Viewer will then respect the FbxSystemUnit information baked into the FBX file. Scale in 3D Viewer is 1 meter per FBX unit.
-## Viewing 3D models on HoloLens
+## Viewing FBX files on HoloLens
### Open an FBX file from Microsoft Edge
@@ -130,71 +133,71 @@ FBX files can be opened directly from a website using Microsoft Edge on HoloLens
1. In Microsoft Edge, navigate to the webpage containing the FBX file you want to view.
1. Select the file to download it.
-1. When the download is complete, select the **Open** button in Microsoft Edge to open the file in 3D Viewer Beta.
+1. When the download is complete, select the **Open** button in Microsoft Edge to open the file in 3D Viewer.
The downloaded file can be accessed and opened again later by using Downloads in Microsoft Edge. To save a 3D model and ensure continued access, download the file on your PC and save it to your OneDrive account. The file can then be opened from the OneDrive app on HoloLens.
> [!NOTE]
-> Some websites with downloadable FBX models provide them in compressed ZIP format. 3D Viewer Beta cannot open ZIP files directly. Instead, use your PC to extract the FBX file and save it to your OneDrive account. The file can then be opened from the OneDrive app on HoloLens.
+> Some websites with downloadable FBX models provide them in compressed ZIP format. 3D Viewer cannot open ZIP files directly. Instead, use your PC to extract the FBX file and save it to your OneDrive account. The file can then be opened from the OneDrive app on HoloLens.
### Open an FBX file from OneDrive
FBX files can be opened from OneDrive by using the OneDrive app on HoloLens. Be sure you've installed OneDrive using Microsoft Store app on HoloLens and that you've already uploaded the FBX file to OneDrive on your PC.
-Once in OneDrive, FBX files can be opened on HoloLens using 3D Viewer Beta in one of two ways:
+Once in OneDrive, FBX files can be opened on HoloLens using 3D Viewer in one of two ways:
-- Launch OneDrive on HoloLens and select the FBX file to open it in 3D Viewer Beta.
-- Launch 3D Viewer Beta, air tap to show the toolbar, and select **Open File**. OneDrive will launch, allowing you to select an FBX file.
+- Launch OneDrive on HoloLens and select the FBX file to open it in 3D Viewer.
+- Launch 3D Viewer, air tap to show the toolbar, and select **Open File**. OneDrive will launch, allowing you to select an FBX file.
## Troubleshooting
### I see a warning when I open a 3D model
-You will see a warning if you attempt to open a 3D model that contains features that are not supported by 3D Viewer Beta, or if the model is too complex and performance may be affected. 3D Viewer Beta will still load the 3D model, but performance or visual fidelity may be compromised.
+You will see a warning if you attempt to open a 3D model that contains features that are not supported by 3D Viewer, or if the model is too complex and performance may be affected. 3D Viewer will still load the 3D model, but performance or visual fidelity may be compromised.
-For more info, see [Supported content specifications](#supported-content-specifications) and [Optimizing 3D models for 3D Viewer Beta](#optimizing-3d-models-for-3d-viewer-beta).
+For more info, see [Supported content specifications](#supported-content-specifications) and [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer).
### I see a warning and the 3D model doesn't load
-You will see an error message when 3D Viewer Beta cannot load a 3D model due to complexity or file size, or if the FBX file is corrupt or invalid. You will also see an error message if you have reached the limit on the total number of models, vertices, or meshes that can be open simultaneously.
+You will see an error message when 3D Viewer cannot load a 3D model due to complexity or file size, or if the FBX file is corrupt or invalid. You will also see an error message if you have reached the limit on the total number of models, vertices, or meshes that can be open simultaneously.
For more info, see [Supported content specifications](#supported-content-specifications) and [File and model limitations](#file-and-model-limitations).
-If you feel your model meets the supported content specifications and has not exceeded the file or model limitations, you may send your FBX file to the 3D Viewer Beta team at holoapps@microsoft.com. We are not able to respond personally, but having examples of files that do not load properly will help our team improve on future versions of the app.
+If you feel your model meets the supported content specifications and has not exceeded the file or model limitations, you may send your FBX file to the 3D Viewer team at holoapps@microsoft.com. We are not able to respond personally, but having examples of files that do not load properly will help our team improve on future versions of the app.
### My 3D model loads, but does not appear as expected
-If your 3D model does not look as expected in 3D Viewer Beta, air tap to show the toolbar, then select **Details**. Aspects of the file which are not supported by 3D Viewer Beta will be highlighted as warnings.
+If your 3D model does not look as expected in 3D Viewer, air tap to show the toolbar, then select **Details**. Aspects of the file which are not supported by 3D Viewer will be highlighted as warnings.
The most common issue you might see is missing textures, likely because they are not embedded in the FBX file. In this case, the model will appear white. This issue can be addressed in the creation process by exporting from your creation tool to FBX with the embed textures option selected.
-For more info, see [Supported content specifications](#supported-content-specifications) and [Optimizing 3D models for 3D Viewer Beta](#optimizing-3d-models-for-3d-viewer-beta).
+For more info, see [Supported content specifications](#supported-content-specifications) and [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer).
### I experience performance drops while viewing my 3D model
Performance when loading and viewing a 3D model can be affected by the complexity of the model, number of models open simultaneously, or number of models with active animations.
-For more info, see [Optimizing 3D models for 3D Viewer Beta](#optimizing-3d-models-for-3d-viewer-beta) and [File and model limitations](#file-and-model-limitations).
+For more info, see [Optimizing 3D models for 3D Viewer](#optimizing-3d-models-for-3d-viewer) and [File and model limitations](#file-and-model-limitations).
-### When I open an FBX file on HoloLens, it doesn't open in 3D Viewer Beta
+### When I open an FBX file on HoloLens, it doesn't open in 3D Viewer
-3D Viewer Beta is automatically associated with the .fbx file extension when it is installed.
+3D Viewer is automatically associated with the .fbx file extension when it is installed.
If you try to open an FBX file and see a dialog box that directs you to Microsoft Store, you do not currently have an app associated with the .fbx file extension on HoloLens.
-Verify that 3D Viewer Beta is installed. If it is not installed, download it from Microsoft Store on HoloLens.
+Verify that 3D Viewer is installed. If it is not installed, download it from Microsoft Store on HoloLens.
-If 3D Viewer Beta is already installed, launch 3D Viewer Beta, then try opening the file again. If the issue persists, uninstall and reinstall 3D Viewer Beta. This will re-associate the .fbx file extension with 3D Viewer Beta.
+If 3D Viewer is already installed, launch 3D Viewer, then try opening the file again. If the issue persists, uninstall and reinstall 3D Viewer. This will re-associate the .fbx file extension with 3D Viewer.
-If attempting to open an FBX file opens an app other than 3D Viewer Beta, that app was likely installed after 3D Viewer Beta and has taken over association with the .fbx file extension. If you prefer 3D Viewer Beta to be associated with the .fbx file extension, uninstall and reinstall 3D Viewer Beta.
+If attempting to open an FBX file opens an app other than 3D Viewer, that app was likely installed after 3D Viewer and has taken over association with the .fbx file extension. If you prefer 3D Viewer to be associated with the .fbx file extension, uninstall and reinstall 3D Viewer.
-### The Open File button in 3D Viewer Beta doesn't launch an app
+### The Open File button in 3D Viewer doesn't launch an app
The **Open File** button will open the app associated with the file picker function on HoloLens. If OneDrive is installed, the **Open File** button should launch OneDrive. However, if there is currently no app associated with the file picker function installed on HoloLens, you will be directed to Microsoft Store.
-If the **Open File** button launches an app other than OneDrive, that app was likely installed after OneDrive and has taken over association with the file picker function. If you prefer OneDrive to launch when selecting the **Open File** button in 3D Viewer Beta, uninstall and reinstall OneDrive.
+If the **Open File** button launches an app other than OneDrive, that app was likely installed after OneDrive and has taken over association with the file picker function. If you prefer OneDrive to launch when selecting the **Open File** button in 3D Viewer, uninstall and reinstall OneDrive.
-If the **Open File** button is not active, it's possible that you have reached the limit of models that can be open in 3D Viewer Beta at one time. If you have 40 models open in 3D Viewer Beta, you will need to close some before you will be able to open additional models.
+If the **Open File** button is not active, it's possible that you have reached the limit of models that can be open in 3D Viewer at one time. If you have 40 models open in 3D Viewer, you will need to close some before you will be able to open additional models.
## Additional resources
diff --git a/devices/hololens/holographic-store-apps.md b/devices/hololens/holographic-store-apps.md
index 085f14c50e..f993afcb7f 100644
--- a/devices/hololens/holographic-store-apps.md
+++ b/devices/hololens/holographic-store-apps.md
@@ -33,12 +33,18 @@ Open the Microsoft Store from the **Start** menu. Then browse for apps and games
## Install apps
-To download apps, you'll need to be signed in with a Microsoft account. To buy them, you'll need a payment method associated with the Microsoft account you use on your HoloLens. To set up a payment method, go to [account.microsoft.com](https://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**.
+To download apps, you'll need to be signed in with a Microsoft account. Some apps are free and can be downloaded right away. Apps that require a purchase require you to be signed in to the Store with your Microsoft account and have a valid payment method.
+> [!NOTE]
+> The account you use on Microsoft Store does not have to be the same as the account you are signed in with. If you are using a Work or School account on your HoloLens then you'll need to sign in with your personal account in the Store App to make a purchase.
-1. To open the [**Start** menu](holographic-home.md), perform a [bloom](hololens1-basic-usage.md) gesture or tap your wrist.
-2. Select the Store app and then tap to place this tile into your world.
-3. Once the Store app opens, use the search bar to look for any desired application.
-4. Select **Get** or **Install** on the application's page (a purchase may be required).
+To set up a payment method, go to [account.microsoft.com](https://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**.
+
+1. To open the [**Start** menu](holographic-home.md), perform a [Start gesture](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) or [bloom](hololens1-basic-usage.md) gesture on HoloLens 1.
+1. Select the Store app. Once the Store app opens:
+ 1. Use the search bar to look for any desired applications.
+ 1. Select essential apps or apps made specifically for HoloLens from one of the curated categories.
+ 1. On the top right of the Store app, select the **...** button and then select **My Library** to view any previously purchased apps.
+1. Select **Get** or **Install** on the application's page (a purchase may be required).
## Uninstall apps
@@ -46,7 +52,7 @@ There are two ways to uninstall applications. You can uninstall applications th
### Uninstall from the Start menu
-On the **Start** menu or in the **All apps** list, gaze at the app. Tap and hold until the menu appears, then select **Uninstall**.
+On the **Start** menu or in the **All apps** list, browse to the app. Air tap and hold until the menu appears, then select **Uninstall**.
### Uninstall from the Microsoft Store
diff --git a/devices/hololens/hololens-calibration.md b/devices/hololens/hololens-calibration.md
index dcba528079..dc20ced641 100644
--- a/devices/hololens/hololens-calibration.md
+++ b/devices/hololens/hololens-calibration.md
@@ -38,7 +38,7 @@ HoloLens 2 prompts a user to calibrate the device under the following circumstan
-During this process, you'll look at a set of targets (gems). It's fine if you blink or close your eyes during calibration but try not to stare at other objects in the room. This allows HoloLens to learn about your eye position to render your holographic world.
+During this process, you'll look at a set of targets (gems). It's fine if you blink during calibration, but try to stay focused on the gems instead of other objects in the room. This allows HoloLens to learn about your eye position to render your holographic world.
@@ -52,7 +52,7 @@ If calibration was successful, you'll see a success screen. If not, read more a
### Calibration when sharing a device or session
-Multiple users can share a HoloLens 2 device, without a need for each person to go through device setup. When a new user puts the device on their head for th first time, HoloLens 2 automatically prompts the user to calibrate visuals. When a user that has previously calibrated visuals puts the device on their head, the display seamlessly adjusts for quality and a comfortable viewing experience.
+Multiple users can share a HoloLens 2 device, without a need for each person to go through device setup. When a new user puts the device on their head for the first time, HoloLens 2 automatically prompts the user to calibrate visuals. When a user that has previously calibrated visuals puts the device on their head, the display seamlessly adjusts for quality and a comfortable viewing experience.
### Manually starting the calibration process
@@ -84,12 +84,16 @@ If calibration is unsuccessful try:
- Moving objects in your visor out of the way (such as hair)
- Turning on a light in your room or moving out of direct sunlight
-If you followed all guidelines and calibration is still failing, please let us know by filing feedback in [Feedback Hub](hololens-feedback.md).
+If you followed all guidelines and calibration is still failing, you can disable the calibration prompt in Settings. Please also let us know by filing feedback in [Feedback Hub](hololens-feedback.md).
+
+Note that setting IPD is not applicable for Hololens 2, since eye positions are computed by the system.
### Calibration data and security
Calibration information is stored locally on the device and is not associated with any account information. There is no record of who has used the device without calibration. This mean new users will get prompted to calibrate visuals when they use the device for the first time, as well as users who opted out of calibration previously or if calibration was unsuccessful.
+The device can locally store up to 50 calibration profiles. After this number is reached, the device automatically deletes the oldest unused profile.
+
Calibration information can always be deleted from the device in **Settings** > **Privacy** > **Eye tracker**.
### Disable calibration
@@ -105,6 +109,8 @@ You can also disable the calibration prompt by following these steps:
### HoloLens 2 eye-tracking technology
The device uses its eye-tracking technology to improve display quality, and to ensure that all holograms are positioned accurately and comfortable to view in 3D. Because it uses the eyes as landmarks, the device can adjust itself for every user and tune its visuals as the headset shifts slightly throughout use. All adjustments happen on the fly without a need for manual tuning.
+> [!NOTE]
+> Setting the IPD is not applicable for Hololens 2, since eye positions are computed by the system.
HoloLens applications use eye tracking to track where you are looking in real time. This is the main capability developers can leverage to enable a whole new level of context, human understanding and interactions within the Holographic experience. Developers don’t need to do anything to leverage this capability.
diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md
index 98ec5c6e06..ddeb2b11b2 100644
--- a/devices/hololens/hololens-commercial-infrastructure.md
+++ b/devices/hololens/hololens-commercial-infrastructure.md
@@ -56,7 +56,7 @@ Make sure that [this list](hololens-offline.md) of endpoints are allowed on your
### Remote Assist Specific Network Requirements
1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network).
-**(Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).**
+**(Please note, if you don't network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).**
1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams).
### Guides Specific Network Requirements
@@ -73,18 +73,18 @@ Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for a
1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment)
-1. Ensure that your company’s users are in Azure Active Directory (Azure AD).
+1. Ensure that your company's users are in Azure Active Directory (Azure AD).
Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory).
1. We suggest that users who need similar licenses are added to the same group.
1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal)
1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal)
-1. Ensure that your company’s users (or group of users) are assigned the necessary licenses.
+1. Ensure that your company's users (or group of users) are assigned the necessary licenses.
Directions for assigning licenses can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/license-users-groups).
1. Only do this step if users are expected to enroll their HoloLens/Mobile device into you (There are three options)
-These steps ensure that your company’s users (or a group of users) can add devices.
+These steps ensure that your company's users (or a group of users) can add devices.
1. **Option 1:** Give all users permission to join devices to Azure AD.
**Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** >
**Set Users may join devices to Azure AD to *All***
@@ -163,7 +163,7 @@ Directions for upgrading to the commercial suite can be found [here](https://doc
1. Check your app settings
1. Log into your Microsoft Store Business account
- 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select “Everyone” or “Specific Groups”**
+ 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select "Everyone" or "Specific Groups"**
>[!NOTE]
>If you don't see the app you want, you will have to "get" the app by searching the store for your app. **Click the "Search" bar in the upper right-hand corner > type in the name of the app > click on the app > select "Get"**.
1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
@@ -171,11 +171,11 @@ Directions for upgrading to the commercial suite can be found [here](https://doc
1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile)
> [!NOTE]
-> You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps.
+> You can configure different users to have different Kiosk Mode experiences by using "Azure AD" as the "User logon type". However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps.
-For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, additional directions can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)
+For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, additional directions can be found [here](hololens-kiosk.md#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk)
## Certificates and Authentication
diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md
index fd770fd0cc..f75a5599df 100644
--- a/devices/hololens/hololens-connect-devices.md
+++ b/devices/hololens/hololens-connect-devices.md
@@ -32,7 +32,7 @@ HoloLens (1st gen) supports the following classes of Bluetooth devices:
- HoloLens (1st gen) clicker
> [!NOTE]
-> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may be listed as available in HoloLens settings. However, these devices aren't supported on HoloLens (1st gen). For more information, see [I'm having problems pairing or using a Bluetooth device](hololens-FAQ.md#im-having-problems-pairing-or-using-a-bluetooth-device).
+> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may be listed as available in HoloLens settings. However, these devices aren't supported on HoloLens (1st gen). For more information, see [HoloLens Settings lists devices as available, but the devices don't work](hololens-FAQ.md#hololens-settings-lists-devices-as-available-but-the-devices-dont-work).
### Pair a Bluetooth keyboard or mouse
@@ -45,10 +45,15 @@ HoloLens (1st gen) supports the following classes of Bluetooth devices:
### HoloLens (1st gen): Pair the clicker
1. Use the bloom gesture to go to **Start**, and then select **Settings**.
+
1. Select **Devices**, and make sure that Bluetooth is on.
+
1. Use the tip of a pen to press and hold the clicker pairing button until the clicker status light blinks white. Make sure to hold down the button until the light starts blinking.
+
The pairing button is on the underside of the clicker, next to the finger loop.
+
+
1. On the pairing screen, select **Clicker** > **Pair**.
## HoloLens 2: Connect USB-C devices
@@ -63,6 +68,9 @@ HoloLens 2 supports the following classes of USB-C devices:
- Wired keyboard
- Combination PD hubs (USB A plus PD charging)
+> [!NOTE]
+> Some mobile devices with USB-C connections present themselves to the HoloLens as ethernet adaptors, and therefore could be used in a tethering configuration, starting with Windows Holographic, version 2004. USB LTE modems that require a separate driver, and/or application installed for configuration are not supported
+
## Connect to Miracast
To use Miracast, follow these steps:
@@ -74,3 +82,10 @@ To use Miracast, follow these steps:
1. On the list of devices that appears, select an available device.
1. Complete the pairing to begin projecting.
+
+## Disable Bluetooth
+
+This procedure turns off the RF components of the Bluetooth radio and disables all Bluetooth functionality on Microsoft HoloLens.
+
+1. Use the bloom gesture (HoloLens (1st gen)) or the start gesture (HoloLens 2) to go to **Start**, and then select **Settings** > **Devices**.
+1. Move the slider switch for **Bluetooth** to the **Off** position.
diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md
index aa2d8ec6dc..ec869cc67d 100644
--- a/devices/hololens/hololens-cortana.md
+++ b/devices/hololens/hololens-cortana.md
@@ -30,7 +30,7 @@ This article teaches you how to control HoloLens and your holographic world with
## Built-in voice commands
-Get around HoloLens faster with these basic commands. In order to use these you need to enable Speech during first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of Start menu.
+Get around HoloLens faster with these basic commands. In order to use these, you need to enable Speech during the first run of the device or in **Settings** > **Privacy** > **Speech**. You can always check whether speech is enabled by looking at the status at the top of the Start menu. For the best speech recognition results, HoloLens 2 uses the Microsoft cloud-based services. However, you can use Settings to disable this feature. To do this, in Settings, turn off **Online speech recognition**. After you change this setting, HoloLens 2 will only process voice data locally to recognize commands and dictation, and Cortana will not be available.
### General speech commands
@@ -48,6 +48,19 @@ Use these commands throughout Windows Mixed Reality to get around faster. Some c
|Hide and show hand ray | "Hide hand ray" / "Show hand ray" |
|See available speech commands | "What can I say?" |
+Starting with version 19041.x of HoloLens 2, you can also use these commands:
+
+| Say this | To do this |
+| - | - |
+| "Restart device" | Bring up a dialogue to confirm you want to restart the device. You can say "yes" to restart. |
+| "Shutdown device" | Bring up a dialogue to confirm you want to turn off the device. You can say "yes" to confirm. |
+| "Brightness up/down" | Increase or decrease the display brightness by 10%. |
+| "Volume up/down" | Increase or decrease the volume by 10%. |
+| "What's my IP address" | Bring up a dialogue displaying your device's current IP address on the local network. |
+| "Take a picture" | Capture a mixed reality photo of what you are currently seeing. |
+| "Take a video" | Start recording a mixed reality video. |
+| "Stop recording" | Stops the current mixed reality video recording if one is in progress. |
+
### Hologram commands
To use these commands, gaze at a 3D object, hologram, or app window.
@@ -87,7 +100,7 @@ Sometimes it's helpful to spell out things like email addresses. For instance, t
## Do more with Cortana
-Cortana can help you do all kinds of things on your HoloLens, from searching the web to shutting down your device. She can give you suggestions, ideas, reminders, alerts, and more. To get her attention, select Cortana on **Start** or say "Hey Cortana" anytime.
+Cortana can help you do all kinds of things on your HoloLens, but depending on which version of Windows Holographic you're using, the capablities may be different. You can learn more about the updated capabilites of the latest version of Cortana [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/).
@@ -96,22 +109,27 @@ Here are some things you can try saying (remember to say "Hey Cortana" first).
**Hey, Cortana**...
- What can I say?
+- Launch <*app name*>.
+- What time is it?
+- Show me the latest NBA scores.
+- Tell me a joke.
+
+If you're using *version 18362.x or earlier*, you can also use these commands:
+
+**Hey, Cortana**...
+
- Increase the volume.
- Decrease the brightness.
- Shut down.
- Restart.
- Go to sleep.
- Mute.
-- Launch <*app name*>.
- Move <*app name*> here (gaze at the spot that you want the app to move to).
- Go to Start.
- Take a picture.
- Start recording. (Starts recording a video.)
- Stop recording. (Stops recording a video.)
-- What time is it?
-- Show me the latest NBA scores.
- How much battery do I have left?
-- Tell me a joke.
Some Cortana features that you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens, and the Cortana experience may vary from one region to another.
diff --git a/devices/hololens/hololens-diagnostic-logs.md b/devices/hololens/hololens-diagnostic-logs.md
new file mode 100644
index 0000000000..212f936079
--- /dev/null
+++ b/devices/hololens/hololens-diagnostic-logs.md
@@ -0,0 +1,269 @@
+---
+title: Collect and use diagnostic information from HoloLens devices
+description:
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 03/23/2020
+ms.prod: hololens
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.topic: article
+ms.custom:
+- CI 115131
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: medium
+keywords:
+manager: jarrettr
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Collect and use diagnostic information from HoloLens devices
+
+HoloLens users and administrators can choose from among four different methods to collect diagnostic information from HoloLens:
+
+- Feedback Hub app
+- DiagnosticLog CSP
+- Settings app
+- Fallback diagnostics
+
+> [!IMPORTANT]
+> Device diagnostic logs contain personally identifiable information (PII), such as about what processes or applications the user starts during typical operations. When multiple users share a HoloLens device (for example, users sign in to the same device by using different Microsoft Azure Active Directory (AAD) accounts) the diagnostic logs may contain PII information that applies to multiple users. For more information, see [Microsoft Privacy statement](https://privacy.microsoft.com/privacystatement).
+
+The following table compares the four collection methods. The method names link to more detailed information in the sections that follow the table.
+
+|Method |Prerequisites |Data locations |Data access and use |Data retention |
+| --- | --- | --- | --- | --- |
+|[Feedback Hub](#feedback-hub) |Network and internet connection
Feedback Hub app
Permission to upload files to the Microsoft cloud |Microsoft cloud
HoloLens device (optional) |User requests assistance, agrees to the terms of use, and uploads the data
Microsoft employees view the data, as consistent with the terms of use |Data in the cloud is retained for the period that is defined by Next Generation Privacy (NGP). Then the data is deleted automatically.
Data on the device can be deleted at any time by a user who has **Device owner** or **Admin** permissions. |
+|[Settings Troubleshooter](#settings-troubleshooter) |Settings app |HoloLens device
Connected computer (optional) |The user stores the data, and only the user accesses the data (unless the user specifically shares the data with another user). |The data is retained until the user deletes it. |
+|[DiagnosticLog CSP](#diagnosticlog-csp) |Network connection
MDM environment that supports the DiagnosticLog CSP |Administrator configures storage locations |In the managed environment, the user implicitly consents to administrator access to the data.
Administrator configures access roles and permissions. | Administrator configures retention policy. |
+|[Fallback diagnostics](#fallback-diagnostics) |Device configuration:
|HoloLens device
Connected computer |The user stores the data, and only the user accesses the data (unless the user specifically shares the data with another user). |The data is retained until the user deletes it. |
+
+## Feedback Hub
+
+A HoloLens user can use the Microsoft Feedback Hub desktop app to send diagnostic information to Microsoft Support. For details and complete instructions, see [Give us feedback](hololens-feedback.md).
+
+> [!NOTE]
+> **Commercial or enterprise users:** If you use the Feedback Hub app to report a problem that relates to MDM, provisioning, or any other device management aspect, change the app category to **Enterprise Management** > **Device category**.
+
+### Prerequisites
+
+- The device is connected to a network.
+- The Feedback Hub app is available on the user's desktop computer, and the user can upload files to the Microsoft cloud.
+
+### Data locations, access, and retention
+
+By agreeing to the terms-of-use of the Feedback Hub, the user explicitly consents to the storage and usage of the data (as defined by that agreement).
+
+The Feedback Hub provides two places for the user to store diagnostic information:
+
+- **The Microsoft cloud**. Data that the user uploads by using the Feedback Hub app is stored for the number of days that is consistent with Next Generation Privacy (NGP) requirements. Microsoft employees can use an NGP-compliant viewer to access the information during this period.
+ > [!NOTE]
+ > These requirements apply to data in all Feedback Hub categories.
+
+- **The HoloLens device**. While filing a report in Feedback Hub, the user can select **Save a local copy of diagnostics and attachments created when giving feedback**. If the user selects this option, the Feedback Hub stores a copy of the diagnostic information on the HoloLens device. This information remains accessible to the user (or anyone that uses that account to sign in to HoloLens). To delete this information, a user must have **Device owner** or **Admin** permissions on the device. A user who has the appropriate permissions can sign in to the Feedback Hub, select **Settings** > **View diagnostics logs**, and delete the information.
+
+## Settings Troubleshooter
+
+A HoloLens user can use the Settings app on the device to troubleshoot problems and collect diagnostic information. To do this, follow these steps:
+
+1. Open the Settings app and select **Update & Security** > **Troubleshoot** page.
+1. Select the appropriate area, and select **Start**.
+1. Reproduce the issue.
+1. After you reproduce the issue, return to Settings and then select **Stop**.
+
+### Prerequisites
+
+- The Settings app is installed on the device and is available to the user.
+
+### Data locations, access, and retention
+
+Because the user starts the data collection, the user implicitly consents to the storage of the diagnostic information. Only the user, or anyone with whom that the user shares the data, can access the data.
+
+The diagnostic information is stored on the device. If the device is connected to the user's computer, the information also resides on the computer in the following file:
+
+> This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents\\Trace\<*ddmmyyhhmmss*>.etl
+
+> [!NOTE]
+> In this file path and name, \<*HoloLens device name*> represents the name of the HoloLens device, and \<*ddmmyyhhmmss*> represents the date and time that the file was created.
+
+The diagnostic information remains in these locations until the user deletes it.
+
+## DiagnosticLog CSP
+
+In a Mobile Device Management (MDM) environment, the IT administrator can use the the [DiagnosticLog configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/diagnosticlog-csp) to configure diagnostic settings on enrolled HoloLens devices. The IT administrator can configure these settings to collect logs from enrolled devices.
+
+### Prerequisites
+
+- The device is connected to a network.
+- The device is enrolled in an MDM environment that supports the DiagnosticLog CSP.
+
+### Data locations, access, and retention
+
+Because the device is part of the managed environment, the user implicitly consents to administrative access to diagnostic information.
+
+The IT administrator uses the DiagnosticLog CSP to configure the data storage, retention, and access policies, including the policies that govern the following:
+
+- The cloud infrastructure that stores the diagnostic information.
+- The retention period for the diagnostic information.
+- Permissions that control access to the diagnostic information.
+
+## Fallback diagnostics
+
+While device telemetry usually provides an initial understanding of a problem report, some issues require a broader and deeper understanding of the device state. When you (as a user or an administrator) investigate such issues, diagnostic logs that reside on the device are more useful than the basic device telemetry.
+
+The fallback diagnostics process provides a way for you to gather diagnostic information if no other methods are available. Such scenarios include the following:
+
+- The network or network-based resources (such as the Feedback Hub, MDM, and so on) are not available.
+- The device is "stuck" or locked in a state in which usual troubleshooting capabilities (such as the Settings app) are not available. Such scenarios include the Out-of-Box-Experience (OOBE), kiosk mode, and a locked or "hung" user interface.
+
+> [!IMPORTANT]
+> - On HoloLens 2 devices, you can use fallback diagnostics under the following conditions only:
+> - During the Out-of-the-Box-Experience (OOBE) and when you select **Send Full Diagnostics Data**.
+> - If the environment's Group Policy enforces the **System\AllowTelemetry** policy value of **Full**.
+> - On HoloLens (1st gen) devices, you can use fallback diagnostics on HoloLens version 17763.316 or a later version. This version is the version that the Windows Device Recovery Tool restores when it resets the device.
+
+### How to use fallback diagnostics
+
+Before you start the fallback diagnostics process, make sure of the following:
+
+- The device is connected to a computer by using a USB cable.
+- The device is powered on.
+- The Power and Volume buttons on the device are functioning correctly.
+
+To collect fallback diagnostic information, follow these steps:
+
+1. On the device, press the Power and Volume Down buttons at the same time and then release them.
+1. Wait for few seconds while the device collects the data.
+
+### Data locations
+
+The device stores the data locally. You can access that information from the connected desktop computer at the following location:
+
+> This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents
+
+For more information about the files that the fallback diagnostics process collects, see [What diagnostics files does the fallback diagnostics process collect?](#what-diagnostics-files-does-the-fallback-diagnostics-process-collect).
+
+### Data access, use, and retention
+
+Because you store the data yourself, only you have access to the data. If you choose to share the data with another user, you implicitly grant permission for that user to access or store the data.
+
+The data remains until you delete it.
+
+### Frequently asked questions about fallback diagnostics on HoloLens
+
+#### Does the device have to be enrolled with an MDM system?
+
+No.
+
+#### How can I use fallback diagnostics on HoloLens?
+
+Before you start the fallback diagnostics process, make sure of the following:
+
+- The device is connected to a computer by using a USB cable.
+- The device is powered on.
+- The Power and Volume buttons on the device are functioning correctly.
+
+To collect fallback diagnostic information, follow these steps:
+
+1. On the device, press the Power and Volume Down buttons at the same time and then release them.
+1. Wait for few seconds while the device collects the data.
+
+#### How would I know that data collection finished?
+
+The fallback diagnostics process does not have a user interface. On HoloLens 2, when the process starts to collect data, it creates a file that is named HololensDiagnostics.temp. When the process finishes, it removes the file.
+
+#### What diagnostics files does the fallback diagnostics process collect?
+
+The fallback diagnostics process collects one or more .zip files, depending on the version of HoloLens. The following table lists each of the possible .zip files, and the applicable versions of HoloLens.
+
+|File |Contents |HoloLens (1st gen) |HoloLens 2 10.0.18362+ |HoloLens 2 10.0.19041+ |
+| --- | --- | --- | --- | --- |
+|HololensDiagnostics.zip |Files for tracing sessions that ran on the device.
Diagnostic information that's specific to Hololens. |✔️ |✔️ |✔️ |
+|DeviceEnrollmentDiagnostics.zip |Information that's related to MDM, device enrollment, CSPs, and policies. | |✔️ |✔️ |
+|AutoPilotDiagnostics.zip |Information that's related to autopilot and licensing.| | |✔️ |
+|TPMDiagnostics.zip |Information that's related to the trusted platform module (TPM) on the device | | |✔️ |
+
+> [!NOTE]
+> Starting on May 2, 2019, the fallback diagnostics process collects EventLog*.etl files only if the signed-in user is the device owner. This is because these files may contain PII data. Such data is accessible to device owners only. This behavior matches the behavior of Windows desktop computers, where administrators have access to event log files but other users do not.
+
+**Sample diagnostic content for HoloLens (1st gen)**
+
+HololensDiagnostics.zip contains files such as the following:
+
+- AuthLogon.etl
+- EventLog-HupRe.etl.001
+- FirstExperience.etl.001
+- HetLog.etl
+- HoloInput.etl.001
+- HoloShell.etl.001
+- WiFi.etl.001
+
+**Sample diagnostic content for HoloLens 2 10.0.18362+**
+
+HololensDiagnostics.zip contains files such as the following:
+
+- EventLog-Application.etl.001*
+- EventLog-System.etl.001*
+- AuthLogon.etl
+- EventLog-HupRe.etl.001
+- FirstExperience.etl.001
+- HetLog.etl
+- HoloInput.etl.001
+- HoloShell.etl.001
+- WiFi.etl.001
+- CSPsAndPolicies.etl.001
+- RadioMgr.etl
+- WiFiDriverIHVSession.etl
+
+DeviceEnrollmentDiagnostics.zip contains files such as the following:
+
+- MDMDiagHtmlReport.html
+- MdmDiagLogMetadata.json
+- MDMDiagReport.xml
+- MdmDiagReport_RegistryDump.reg
+- MdmLogCollectorFootPrint.txt
+
+**Sample diagnostic content for HoloLens 2 10.0.19041+**
+
+HololensDiagnostics.zip contains files such as the following:
+
+- EventLog-Application.etl.001*
+- EventLog-System.etl.001*
+- AuthLogon.etl
+- EventLog-HupRe.etl.001
+- FirstExperience.etl.001
+- HetLog.etl
+- HoloInput.etl.001
+- HoloShell.etl.001
+- WiFi.etl.001
+- CSPsAndPolicies.etl.001
+- RadioMgr.etl
+- WiFiDriverIHVSession.etl
+- DisplayDiagnosticData.json
+- HUP dumps
+
+DeviceEnrollmentDiagnostics.zip contains files such as the following:
+
+- MDMDiagHtmlReport.html
+- MdmDiagLogMetadata.json
+- MDMDiagReport.xml
+- MdmDiagReport_RegistryDump.reg
+- MdmLogCollectorFootPrint.txt
+
+AutoPilotDiagnostics.zip contains files such as the following:
+
+- DeviceHash_HoloLens-U5603.csv
+- LicensingDiag.cab
+- LicensingDiag_Output.txt
+- TpmHliInfo_Output.txt
+- DiagnosticLogCSP_Collector_DeviceEnrollment_\*.etl
+- DiagnosticLogCSP_Collector_Autopilot_*.etl
+
+TPMDiagnostics.zip contains files such as the following:
+
+- CertReq_enrollaik_Output.txt
+- CertUtil_tpminfo_Output.txt
+- TPM\*.etl
diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md
index af44d41fb3..6b2cfb74bc 100644
--- a/devices/hololens/hololens-encryption.md
+++ b/devices/hololens/hololens-encryption.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.date: 01/26/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens (1st gen)
---
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
index c8b54ac1f2..0e557e9c50 100644
--- a/devices/hololens/hololens-enroll-mdm.md
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.date: 07/15/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens (1st gen)
- HoloLens 2
@@ -29,7 +29,7 @@ You can manage multiple Microsoft HoloLens devices simultaneously using solution
## Auto-enrollment in MDM
-If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and AirWatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment)
+If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and AirWatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/mem/intune/enrollment/windows-enroll#enable-windows-10-automatic-enrollment)
When auto-enrollment is enabled, no additional manual enrollment is needed. When the user signs in with an Azure AD account, the device is enrolled in MDM after completing the first-run experience.
@@ -45,4 +45,4 @@ Your device is now enrolled with your MDM server. The device will need to restar
## Unenroll HoloLens from Intune
-You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard.
\ No newline at end of file
+You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard.
diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md
index 78dacbb581..85f66c8318 100644
--- a/devices/hololens/hololens-faq-security.md
+++ b/devices/hololens/hololens-faq-security.md
@@ -73,8 +73,6 @@ appliesto:
1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client.
1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices.
-1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
- 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.
## HoloLens 2nd Gen Security Questions
@@ -125,5 +123,3 @@ appliesto:
1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client.
1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices.
-1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
- 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.
diff --git a/devices/hololens/hololens-feedback.md b/devices/hololens/hololens-feedback.md
index 3199517a90..7fb8c4838e 100644
--- a/devices/hololens/hololens-feedback.md
+++ b/devices/hololens/hololens-feedback.md
@@ -4,7 +4,11 @@ description: Create actionable feedback for HoloLens and Windows Mixed Reality d
ms.assetid: b9b24c72-ff86-44a9-b30d-dd76c49479a9
author: mattzmsft
ms.author: mazeller
-ms.date: 09/13/2019
+ms.date: 05/14/2020
+ms.custom:
+- CI 116157
+- CSSTroubleshooting
+audience: ITPro
ms.prod: hololens
ms.topic: article
keywords: feedback, bug, issue, error, troubleshoot, help
@@ -15,68 +19,66 @@ appliesto:
- HoloLens 2
---
-# Give us feedback
+# Feedback for HoloLens
-Use the Feedback Hub to tell us which features you love, which features you could do without, or when something could be better.
+Use the Feedback Hub to tell us which features you love, which features you could do without, and how something could be better. The engineering team uses the same mechanism internally to track and fix bugs, so please use Feedback Hub to report any bugs that you see. We are listening!
-## Feedback for Windows Mixed Reality immersive headset on PC
+Feedback Hub is an excellent way to alert the engineering team to bugs and to make sure that future updates are healthier and more consistently free of bugs. However, Feedback Hub does not provide a response. If you need immediate help, please file feedback, take note of the summary that you provided for your feedback, and then follow up with [HoloLens support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f).
-> [!IMPORTANT]
-> Before you report an issue, make sure that your environment meets the following requirements so that you can successfully upload logs and other information:
->
-> - Have a minimum of 3GB free disk space available on the main drive of the device.
-> - To upload cabs or other large files, connect to a non-metered network.
+> [!NOTE]
+>
+> - Make sure you that you have the current version of Feedback Hub. To do this, select **Start** > **Microsoft Store**, and then select the ellipses (**...**). Then, select **Downloads and updates** > **Get updates**.
+>
+> - To provide the best possible data for fixing issues, we highly recommended that you set your device telemetry to **Full**. You can set this value during the Out-of-Box-Experience (OOBE), or by using the Settings app. To do this by using Settings, select **Start** > **Settings** > **Privacy** > **App Diagnostics** > **On**.
-1. Make sure that you have the immersive headset connected to your PC, and then on the desktop, select **Feedback Hub**.
-1. In the left pane, select **Feedback**.
- 
-1. To enter new feedback, select **Add new feedback**.
- 
-1. To make feedback actionable, in **What kind of feedback is this?** select **Problem**.
-1. In **Summarize your issue**, enter a meaningful title for your feedback.
-1. In **Give us more detail**, provide details and repro steps.
- 
+## Use the Feedback Hub
- As the top category, select **Mixed Reality**. Then select an applicable subcategory, as explained in the following table:
-
- |Subcategory |Description |
- |----------|----------|
- | Apps | Issues about a specific application. |
- | Developer | Issues about authoring or running an app for Mixed Reality. |
- | Device | Issues about the head-mounted device (HMD) itself. |
- | Home experience | Issues about your VR environment and your interactions with the your mixed reality home. |
- | Input | Issues about input methods, such as motion controllers, speech, gamepad, or mouse and keyboard. |
- | Set up | Anything that is preventing you from setting up the device. |
- | All other issues | Anything else. |
-
-1. If possible, add traces or video to your feedback to help us identify and fix the issue more quickly. To do this, follow these steps:
- 1. To start collecting traces, select **Start capture**. The app starts collecting traces and a video capture of your mixed reality scenario.
-
- 
- 1. Do not close the Feedback Hub app, but switch to the scenario that produces the issue. Run through the scenario to produce the circumstances that you have described.
- 1. After you finish your scenario, go back to the Feedback Hub app and select **Stop capture**. The app stops collecting information, stores the information in a file, and attaches the file to your feedback.
-1. Select **Submit**.
- 
- The Thank You page indicates that your feedback has been successfully submitted.
- 
+1. Use the **Start** gesture to open the **Start** menu, and then select **Feedback Hub**. The app opens in your environment.
-To easily direct other people (such as co-workers, Microsoft staff, [forum](https://forums.hololens.com/) readers et al) to the issue, go to **Feedback** > **My Feedback**, select the issue, select **Share**. This action provides a shortened URL that you can give to others so that they can upvote or escalate your issue.
+ 
+ > [!NOTE]
+ > If you don't see **Feedback Hub**, select **All Apps** to see the complete list of apps on the device.
-## Feedback for HoloLens
+1. To see whether someone else has given similar feedback, enter a few keywords about the topic in the **Feedback** search box.
+1. If you find similar feedback, select it, add any additional information that you have in the **Write a comment** box, and then select **Upvote**.
+1. If you don't find any similar feedback, select **Add new feedback**.
-1. Use the **bloom** gesture to open the **Start** menu, and then select **Feedback Hub**.
+ 
- 
-1. Place the app in your environment and then select the app to launch it.
-1. To see if someone else has given similar feedback, in the Feedback search box, enter a few keywords about the topic.
+1. In **Summarize your feedback**, enter a short summary of your feedback. Then add details in the **Explain in more detail** box. The more details that you provide, such as how to reproduce this problem and the effect that it has, the more useful your feedback is. When you're finished, select **Next**.
- 
-1. If you find similar feedback, select it, add any details, then select **Upvote**.
+1. Select a topic from **Choose a category**, and then select a subcategory from **Select a subcategory**. The following table describes the categories that are available in the Windows Holographic category.
- 
-1. If you don’t find any similar feedback, select **Add new feedback**, select a topic from **Select a category**, and then select a subcategory from **Select a subcategory**.
+ > [!NOTE]
+ > **Commercial customers**: To report a bug that is related to MDM, provisioning, or any other device management aspect, select the **Enterprise Management** category, and the **Device** subcategory.
- 
-1. Enter your feedback.
-1. If you are reporting a reproducible issue, you can select **Reproduce**. Without closing Feedback Hub, reproduce the issue. After you finish, come back to Feedback Hub and select **I’m done**. The app adds a mixed reality capture of your repro and relevant diagnostic logs to your feedback.
-1. Select **Post feedback**, and you’re done.
+ |Category |Description |
+ | --- | --- |
+ |Eye tracking |Feedback about eye tracking, iris sign-in, or calibration. |
+ |Hologram accuracy, stability, and reliability |Feedback about how holograms appear in space. |
+ |Launching, placing, adjusting, and exiting apps |Feedback about starting or stopping 2D or 3D apps. |
+ |Miracast |Feedback about Miracast. |
+ |Spaces and persistence |Feedback about how HoloLens recognizes spaces and retains holograms in space. |
+ |Start menu and all apps list |Feedback about the **Start** menu and the all apps list. |
+ |Surface mapping |Feedback about surface mapping. |
+ |Taking pictures and videos |Feedback about mixed reality captures. |
+ |Video hologram playback |Feedback about video hologram playback. |
+ |All other issues |All other issues. |
+
+1. You may be prompted to search for similar feedback. If your problem resembles feedback from other users, select that feedback. Otherwise, select **New feedback** and then select **Next**.
+
+1. If you are prompted, select the best description of the problem.
+
+1. Attach any relevant data to your feedback, or reproduce the problem. You can select any of the following options:
+
+ - **Attach a screenshot**. Select this option to attach a screenshot that illustrates the situation that you're describing.
+ - **Attach a file**. Select this option to attach data files. If you have files that are relevant to your problem or that could help us to reproduce your problem, attach them.
+ - **Recreate my problem**. Select this option if you can reproduce the problem yourself. After you select **Recreate my problem**, follow these steps:
+
+ 1. Select **Include data about** and make sure that the most relevant types of data are listed. In most cases, the default selections are based on the category and subcategory that you selected for your feedback.
+ 1. Select **Start Recording**.
+
+ 1. Reproduce your problem. Don’t worry if this means that you have to enter an immersive app. You will return to the feedback page when you're done.
+ 1. Select **Stop recording**. After recording stops, you can see the data that is attached to your feedback for the engineering team.
+
+1. Make sure that you have an active internet connection so that we can receive your feedback. Select **Submit**, and you’re done.
diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md
index e1fab33818..08af92c386 100644
--- a/devices/hololens/hololens-identity.md
+++ b/devices/hololens/hololens-identity.md
@@ -32,7 +32,7 @@ HoloLens supports several kinds of user identities. You can use one or more user
| Identity type | Accounts per device | Authentication options |
| --- | --- | --- |
-| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 32 (see details) |
|
+| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 64 |
|
| [Microsoft Account (MSA)](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts) | 1 |
|
| [Local account](https://docs.microsoft.com/windows/security/identity-protection/access-control/local-accounts) | 1 | Password |
diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md
index 1f4858772e..5bc9b7a304 100644
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@@ -11,9 +11,9 @@ ms.custom:
- CSSTroubleshooting
ms.localizationpriority: medium
audience: ITPro
-ms.date: 1/6/2020
+ms.date: 4/21/2020
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens 2
---
@@ -34,15 +34,20 @@ Select **Confirm -> Restart Now** to finish up. After your device has rebooted,
If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Advanced Recovery Companion to recover your device to a non-Insider version of Windows Holographic.
+> [!CAUTION]
+> There is a known issue in which users who un-enroll from Insider Preview builds after manually reinstalling a fresh preview build would experience a blue screen. Afterwards they must manually recover their device. For full details on if you would be impacted or not, please view more on this [Known Issue](https://docs.microsoft.com/hololens/hololens-known-issues?source=docs#blue-screen-is-shown-after-unenrolling-from-insider-preview-builds-on-a-device-reflashed-with-a-insider-build).
+
To verify that your HoloLens is running a production build:
-- Go to **Settings > System > About**, and find the build number.
-- [See the release notes for production build numbers.](hololens-release-notes.md)
+1. Go to **Settings > System > About**, and find the build number.
+1. [See the release notes for production build numbers.](hololens-release-notes.md)
To opt out of Insider builds:
-- On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
-- Follow the instructions to opt out your device.
+1. On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
+1. Follow the instructions to opt out your device.
+
+
## Provide feedback and report issues
@@ -58,45 +63,9 @@ You are welcome and encouraged to try developing your applications using Insider
## Windows Insider Release Notes
-HoloLens 2 Windows Insider builds are full of new features and improvements. Sign up for Windows Insider Fast or Slow flights to test them out!
-Here's a quick summary of what's new:
+As of our [Windows Holographic May 2020 Update](hololens-release-notes.md) release all of our release preview feautres are now generally avalible! Make sure to [update your HoloLens](hololens-update-hololens.md) to get all the latest features.
-- Support for FIDO2 Security Keys to enable secure and easy authentication for shared devices
-- Seamlessly apply a provisioning package from a USB drive to your HoloLens
-- Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system
-- Use Windows AutoPilot to set up and pre-configure new devices, quickly getting them ready for productive use. Send a note to hlappreview@microsoft.com to join the preview.
-- Dark Mode - many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time. Navigate to Settings > System > Colors to find "Choose your default app mode."
-- Support for additional system voice commands
-- Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate
-- Performance and stability improvements across the product
-- More information in settings on HoloLens about the policy pushed to the device
-
-Once you've had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers.
-
-### FIDO 2 support
-Many of you share a HoloLens with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords. FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password.
-
-Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started.
-
-### Provisioning package updates
-Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience. Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel.
-
-1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC.
-1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices**
-1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device.
-1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package.
-
-### System voice commands
-You can now can access these commands with your voice:
-- "Restart device"
-- "Shutdown device"
-- "Brightness up"
-- "Brightness down"
-- "Volume up"
-- "Volume down"
-- "What is my IP address?"
-
-If you're running your system with a different language, please try the appropriate commands in that language.
+We'll be updating this page again with new features again as we release them to Windows Insider builds.
### FFU download and flash directions
To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu.
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index aab93e1b8a..c08a6c076b 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -1,5 +1,5 @@
---
-title: Set up HoloLens as a kiosk for specific applications
+title: Set up HoloLens as a kiosk
description: Use a kiosk configuration to lock down the apps on HoloLens.
ms.prod: hololens
ms.sitesec: library
@@ -7,82 +7,359 @@ author: dansimp
ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
-ms.date: 11/13/2018
+ms.date: 04/27/2020
ms.custom:
+- CI 115262
- CI 111456
- CSSTroubleshooting
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
-# Set up HoloLens as a kiosk for specific applications
+# Set up HoloLens as a kiosk
-In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#add-guest-access-to-the-kiosk-configuration-optional)
+You can configure a HoloLens device to function as a fixed-purpose device, also called a *kiosk*, by configuring the device to run in kiosk mode. Kiosk mode limits the applications (or users) that are available on the device. Kiosk mode is a convenient feature that you can use to dedicate a HoloLens device to business apps, or to use the HoloLens device in an app demo.
-When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access.
+This article provides information about aspects of kiosk configuration that are specific to HoloLens devices. For general information about the different types of Windows-based kiosks and how to configure them, see [Configure kiosks and digital signs on Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-methods).
-Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings.
+> [!IMPORTANT]
+> Kiosk mode determines which apps are available when a user signs in to the device. However, kiosk mode is not a security method. It does not stop an "allowed" app from opening another app that is not allowed. In order to block apps or processes from opening, use [Windows Defender Application Control (WDAC) CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) to create appropriate policies.
-The following table lists the device capabilities in the different kiosk modes.
+You can use kiosk mode in either a single-app or a multi-app configuration, and you can use one of three processes to set up and deploy the kiosk configuration.
-Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Miracast
---- | --- | --- | --- | ---
-Single-app kiosk |  |  |  | 
-Multi-app kiosk |  |  with **Home** and **Volume** (default)
Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.
Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. |  if the Camera app is enabled in the kiosk configuration. |  if the Camera app and device picker app are enabled in the kiosk configuration.
+> [!IMPORTANT]
+> Deleting the multi-app configuration removes the user lockdown profiles that the assigned access feature created. However, it does not revert all the policy changes. To revert these policies, you have to reset the device to the factory settings.
-> [!NOTE]
-> Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`.
+## Plan the kiosk deployment
-The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration.
+### Kiosk mode requirements
-> [!WARNING]
-> The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access.
->
-> Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app.
+You can configure any HoloLens 2 device to use kiosk mode.
-For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk:
-- You can use [Microsoft Intune or other mobile device management (MDM) service](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) to configure single-app and multi-app kiosks.
-- You can [use a provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure single-app and multi-app kiosks.
-- You can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device.
+To configure a HoloLens (1st gen) device to use kiosk mode, you must first make sure that the device runs Windows 10, version 1803, or a later version. If you have used the Windows Device Recovery Tool to recover your HoloLens (1st gen) device to its default build, or if you have installed the most recent updates, your device is ready to configure.
-For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks.
+> [!IMPORTANT]
+> To help protect devices that run in kiosk mode, consider adding device management policies that turn off features such as USB connectivity. Additionally, check your update ring settings to make sure that automatic updates do not occur during business hours.
-## Start layout for HoloLens
+### Decide between a single-app kiosk or a multi-app kiosk
-If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout.
+A single-app kiosk starts the specified app when the user signs in to the device. The Start menu is disabled, as is Cortana. A HoloLens 2 device does not respond to the [Start](hololens2-basic-usage.md#start-gesture) gesture. A HoloLens (1st gen) device does not respond to the [bloom](hololens1-basic-usage.md) gesture. Because only one app can run, the user cannot place other apps.
-> [!NOTE]
-> Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed.
+A multi-app kiosk displays the Start menu when the user signs in to the device. The kiosk configuration determines which apps are available on the Start menu. You can use a multi-app kiosk to provide an easy-to-understand experience for users by presenting to them only the things that they have to use, and removing the things they don't need to use.
-### Start layout file for MDM (Intune and others)
+The following table lists the feature capabilities in the different kiosk modes.
-Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile).
+| |Start menu |Quick Actions menu |Camera and video |Miracast |Cortana |Built-in voice commands |
+| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
+|Single-app kiosk |Disabled |Disabled |Disabled |Disabled |Disabled |Enabled1 |
+|Multi-app kiosk |Enabled |Enabled2 |Available2 |Available2 |Available2, 3 |Enabled1 |
-> [!NOTE]
-> If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package).
+> 1 Voice commands that relate to disabled features do not function.
+> 2 For more information about how to configure these features, see [Select kiosk apps](#plan-kiosk-apps).
+> 3 Even if Cortana is disabled, the built-in voice commands are enabled.
+
+The following table lists the user support features of the different kiosk modes.
+
+| |Supported user types | Automatic sign-in | Multiple access levels |
+| --- | --- | --- | --- |
+|Single-app kiosk |Managed Service Account (MSA) in Azure Active Directory (AAD) or local account |Yes |No |
+|Multi-app kiosk |AAD account |No |Yes |
+
+For examples of how to use these capabilities, see the following table.
+
+|Use a single-app kiosk for: |Use a multi-app kiosk for: |
+| --- | --- |
+|A device that runs only a Dynamics 365 Guide for new employees. |A device that runs both Guides and Remote Assistance for a range of employees. |
+|A device that runs only a custom app. |A device that functions as a kiosk for most users (running only a custom app), but functions as a standard device for a specific group of users. |
+
+### Plan kiosk apps
+
+For general information about how to choose kiosk apps, see [Guidelines for choosing an app for assigned access (kiosk mode)](https://docs.microsoft.com/windows/configuration/guidelines-for-assigned-access-app).
+
+If you use the Windows Device Portal to configure a single-app kiosk, you select the app during the setup process.
+
+If you use a Mobile Device Management (MDM) system or a provisioning package to configure kiosk mode, you use the [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to specify applications. The CSP uses [Application User Model IDs (AUMIDs)](https://docs.microsoft.com/windows/configuration/find-the-application-user-model-id-of-an-installed-app) to identify applications. The following table lists the AUMIDs of some in-box applications that you can use in a multi-app kiosk.
+
+> [!CAUTION]
+> You cannot select the Shell app as a kiosk app. Addition, we recommend that you do **not** select Microsoft Edge, Microsoft Store, or File Explorer as a kiosk app.
+
+
+
+|App Name |AUMID |
+| --- | --- |
+|3D Viewer |Microsoft.Microsoft3DViewer\_8wekyb3d8bbwe\!Microsoft.Microsoft3DViewer |
+|Calendar |microsoft.windowscommunicationsapps\_8wekyb3d8bbwe\!microsoft.windowslive.calendar |
+|Camera1, 2 |HoloCamera\_cw5n1h2txyewy\!HoloCamera |
+|Cortana3 |Microsoft.549981C3F5F10\_8wekyb3d8bbwe\!App |
+|Device Picker |HoloDevicesFlow\_cw5n1h2txyewy\!HoloDevicesFlow |
+|Dynamics 365 Guides |Microsoft.Dynamics365.Guides\_8wekyb3d8bbwe\!MicrosoftGuides |
+|Dynamics 365 Remote Assist |Microsoft.MicrosoftRemoteAssist\_8wekyb3d8bbwe\!Microsoft.RemoteAssist |
+|Feedback Hub |Microsoft.WindowsFeedbackHub\_8wekyb3d8bbwe\!App |
+|Mail |c5e2524a-ea46-4f67-841f-6a9465d9d515\_cw5n1h2txyewy\!App |
+|Miracast4 | |
+|Movies & TV |Microsoft.ZuneVideo\_8wekyb3d8bbwe\!Microsoft.ZuneVideo |
+|OneDrive |microsoft.microsoftskydrive\_8wekyb3d8bbwe\!App |
+|Photos |Microsoft.Windows.Photos\_8wekyb3d8bbwe\!App |
+|Settings |HolographicSystemSettings\_cw5n1h2txyewy\!App |
+|Tips |Microsoft.HoloLensTips\_8wekyb3d8bbwe\!HoloLensTips |
+
+> 1 To enable photo or video capture, you have to enable the Camera app as a kiosk app.
+> 2 When you enable the Camera app, be aware of the following conditions:
+> - The Quick Actions menu includes the Photo and Video buttons.
+> - You should also enable an app (such as Photos, Mail, or OneDrive) that can interact with or retrieve pictures.
+>
+> 3 Even if you do not enable Cortana as a kiosk app, built-in voice commands are enabled. However, commands that are related to disabled features have no effect.
+> 4 You cannot enable Miracast directly. To enable Miracast as a kiosk app, enable the Camera app and the Device Picker app.
+
+### Plan user and device groups
+
+In an MDM environment, you use groups to manage device configurations and user access.
+
+The kiosk configuration profile includes the **User logon type** setting. **User logon type** identifies the user (or group that contains the users) who can use the app or apps that you add. If a user signs in by using an account that is not included in the configuration profile, that user cannot use apps on the kiosk.
+
+> [!NOTE]
+> The **User logon type** of a single-app kiosk specifies a single user account. This is the user context under which the kiosk runs. The **User logon type** of a multi-app kiosk can specify one or more user accounts or groups that can use the kiosk.
+
+Before you can deploy the kiosk configuration to a device, you have to *assign* the kiosk configuration profile to a group that contains the device or a user who can sign in to the device. This setting produces behavior such as the following.
+
+- If the device is a member of the assigned group, the kiosk configuration deploys to the device the first time that any user signs in on the device.
+- If the device is not a member of the assigned group, but a user who is a member of that group signs in, the kiosk configuration deploys to the device at that time.
+
+For a full discussion of the effects of assigning configuration profiles in Intune, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/configuration/device-profile-assign).
+
+> [!NOTE]
+> The following examples describe multi-app kiosks. Single-app kiosks behave in a similar manner, but only one user account gets the kiosk experience.
+
+**Example 1**
+
+You use a single group (Group 1) for both devices and users. One device and users A, B, and C are members of this group. You configure the kiosk configuration profile as follows:
+
+- **User logon type**: Group 1
+- **Assigned group**: Group 1
+
+Regardless of which user signs on to the device first (and goes through the Out-of-Box Experience, or OOBE), the kiosk configuration deploys to the device. Users A, B, and C can all sign in to the device and get the kiosk experience.
+
+**Example 2**
+
+You contract out devices to two different vendors who need different kiosk experiences. Both vendors have users, and you want all the users to have access to kiosks from both their own vendor and the other vendor. You configure groups as follows:
+
+- Device Group 1:
+ - Device 1 (Vendor 1)
+ - Device 2 (Vendor 1)
+
+- Device Group 2:
+ - Device 3 (Vendor 2)
+ - Device 4 (Vendor 2)
+
+- User Group:
+ - User A (Vendor 1)
+ - User B (Vendor 2)
+
+You create two kiosk configuration profiles that have the following settings:
+
+- Kiosk Profile 1:
+ - **User logon type**: User Group
+ - **Assigned group**: Device Group 1
+
+- Kiosk Profile 2:
+ - **User logon type**: User Group
+ - **Assigned group**: Device Group 2
+
+These configurations produce the following results:
+
+- When any user signs in to Device 1 or Device 2, Intune deploys Kiosk Profile 1 to that device.
+- When any user signs in to Device 3 or Device 4, Intune deploys Kiosk Profile 2 to that device.
+- User A and user B can sign in to any of the four devices. If they sign in to Device 1 or Device 2, they see the Vendor 1 kiosk experience. If they sign in to Device 3 or Device 4, they see the Vendor 2 kiosk experience.
+
+#### Profile conflicts
+
+If two or more kiosk configuration profiles target the same device, they conflict. In the case of Intune-managed devices, Intune does not apply any of the conflicting profiles.
+
+Other kinds of profiles and policies, such as device restrictions that are not related to the kiosk configuration profile, do not conflict with the kiosk configuration profile.
+
+### Select a deployment method
+
+You can select one of the following methods to deploy kiosk configurations:
+
+- [Microsoft Intune or other mobile device management (MDM) service](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk)
+
+- [Provisioning package](#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk)
+
+- [Windows Device Portal](#use-the-windows-device-portal-to-set-up-a-single-app-kiosk)
+
+ > [!NOTE]
+ > Because this method requires that Developer Mode be enabled on the device, we recommend that you use it only for demonstrations.
+
+The following table lists the capabilities and benefits of each of the deployment methods.
+
+| |Deploy by using Windows Device Portal |Deploy by using a provisioning package |Deploy by using MDM |
+| --------------------------- | ------------- | -------------------- | ---- |
+|Deploy single-app kiosks | Yes | Yes | Yes |
+|Deploy multi-app kiosks | No | Yes | Yes |
+|Deploy to local devices only | Yes | Yes | No |
+|Deploy by using Developer Mode |Required | Not required | Not required |
+|Deploy by using Azure Active Directory (AAD) | Not required | Not required | Required |
+|Deploy automatically | No | No | Yes |
+|Deployment speed | Fastest | Fast | Slow |
+|Deploy at scale | Not recommended | Not recommended | Recommended |
+
+## Use Microsoft Intune or other MDM to set up a single-app or multi-app kiosk
+
+To set up kiosk mode by using Microsoft Intune or another MDM system, follow these steps.
+
+1. [Prepare to enroll the devices](#mdmenroll).
+1. [Create a kiosk configuration profile](#mdmprofile).
+1. Configure the kiosk.
+ - [Configure the settings for a single-app kiosk](#mdmconfigsingle).
+ - [Configure the settings for a multi-app kiosk](#mdmconfigmulti).
+1. [Assign the kiosk configuration profile to a group](#mdmassign).
+1. Deploy the devices.
+ - [Deploy a single-app kiosk](#mdmsingledeploy).
+ - [Deploy a multi-app kiosk](#mdmmultideploy).
+
+### MDM, step 1 – Prepare to enroll the devices
+
+You can configure your MDM system to enroll HoloLens devices automatically when the user first signs in, or have users enroll devices manually. The devices also have to be joined to your Azure AD domain, and assigned to the appropriate groups.
+
+For more information about how to enroll the devices, see [Enroll HoloLens in MDM](hololens-enroll-mdm.md) and [Intune enrollment methods for Windows devices](https://docs.microsoft.com/mem/intune/enrollment/windows-enrollment-methods).
+
+### MDM, step 2 – Create a kiosk configuration profile
+
+1. Open the [Azure](https://portal.azure.com/) portal and sign in to your Intune administrator account.
+1. Select **Microsoft Intune** > **Device configuration - Profiles** > **Create profile**.
+1. Enter a profile name.
+1. Select **Platform** > **Windows 10 and later**, and then select **Profile type** >**Device restrictions**.
+1. Select **Configure** > **Kiosk**, and then select one of the following:
+ - To create a single-app kiosk, select **Kiosk Mode** > **Single-app kiosk**.
+ - To create a multi-app kiosk, select **Kiosk Mode** > **Multi-app kiosk**.
+1. To start configuring the kiosk, select **Add**.
+
+Your next steps differ depending on the type of kiosk that you want. For more information, select one of the following options:
+
+- [Single-app kiosk](#mdmconfigsingle)
+- [Multi-app kiosk](#mdmconfigmulti)
+
+For more information about how to create a kiosk configuration profile, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/configuration/kiosk-settings).
+
+### MDM, step 3 (single-app) – Configure the settings for a single-app kiosk
+
+This section summarizes the settings that a single-app kiosk requires. For more details, see the following articles:
+
+- For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune).
+- For more information about the available settings for single-app kiosks in Intune, see [Single full-screen app kiosks](https://docs.microsoft.com/intune/configuration/kiosk-settings-holographic#single-full-screen-app-kiosks)
+- For other MDM services, check your provider's documentation for instructions. If you have to use a custom XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig).
+
+1. Select **User logon type** > **Local user account**, and then enter the user name of the local (device) account or Microsoft Account (MSA) that can sign in to the kiosk.
+ > [!NOTE]
+ > **Autologon** user account types aren't supported on Windows Holographic for Business.
+1. Select **Application type** > **Store app**, and then select an app from the list.
+
+Your next step is to [assign](#mdmassign) the profile to a group.
+
+### MDM, step 3 (multi-app) – Configure the settings for a multi-app kiosk
+
+This section summarizes the settings that a multi-app kiosk requires. For more detailed information, see the following articles:
+
+- For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune).
+- For more information about the available settings for multi-app kiosks in Intune, see [Multi-app kiosks](https://docs.microsoft.com/mem/intune/configuration/kiosk-settings-holographic#multi-app-kiosks)
+- For other MDM services, check your provider's documentation for instructions. If you need to use a custom XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig). If you use an XML file, make sure to include the [Start layout](#start-layout-for-hololens).
+- You can optionally use a custom Start layout with Intune or other MDM services. For more information, see [Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others).
+
+1. Select **Target Windows 10 in S mode devices** > **No**.
+ >[!NOTE]
+ > S mode isn't supported on Windows Holographic for Business.
+1. Select **User logon type** > **Azure AD user or group** or **User logon type** > **HoloLens visitor**, and then add one or more user groups or accounts.
+
+ Only users who belong to the groups or accounts that you specify in **User logon type** can use the kiosk experience.
+
+1. Select one or more apps by using the following options:
+ - To add an uploaded line-of-business app, select **Add store app** and then select the app that you want.
+ - To add an app by specifying its AUMID, select **Add by AUMID** and then enter the AUMID of the app. [See the list of available AUMIDs](#aumids)
+
+Your next step is to [assign](#mdmassign) the profile to a group.
+
+### MDM, step 4 – Assign the kiosk configuration profile to a group
+
+Use the **Assignments** page of the kiosk configuration profile to set where you want the kiosk configuration to deploy. In the simplest case, you assign the kiosk configuration profile to a group that will contain the HoloLens device when the device enrolls in MDM.
+
+### MDM, step 5 (single-app) – Deploy a single-app kiosk
+
+When you use an MDM system, you can enroll the device in MDM during OOBE. After OOBE finishes, signing in to the device is easy.
+
+During OOBE, follow these steps:
+
+1. Sign in by using the account that you specified in the kiosk configuration profile.
+1. Enroll the device. Make sure that the device is added to the group that the kiosk configuration profile is assigned to.
+1. Wait for OOBE to finish, for the store app to download and install, and for policies to be applied. Then restart the device.
+
+The next time you sign in to the device, the kiosk app should automatically start.
+
+If you don't see your kiosk configuration at this point, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor).
+
+### MDM, step 5 (multi-app) – Deploy a multi-app kiosk
+
+When you use an MDM system, you can join the device to your Azure AD tenant and enroll the device in MDM during OOBE. If appropriate, provide the enrollment information to the users so that they have it available during the OOBE process.
+
+> [!NOTE]
+> If you have assigned the kiosk configuration profile to a group that contains users, make sure that one of those user accounts is the first account to sign in to the device.
+
+During OOBE, follow these steps:
+
+1. Sign in by using the account that belongs to the **User logon type** group.
+1. Enroll the device.
+1. Wait for any apps that are part of the kiosk configuration profile to download and install. Also, wait for policies to be applied.
+1. After OOBE finishes, you can install additional apps from the Microsoft store or by sideloading. [Required apps](https://docs.microsoft.com/mem/intune/apps/apps-deploy#assign-an-app) for the group that the device belongs to install automatically.
+1. After the installation finishes, restart the device.
+
+The next time you sign in to the device by using an account that belongs to the **User logon type**, the kiosk app should automatically launch.
+
+If you don't see your kiosk configuration at this point, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor).
+
+## Use a provisioning package to set up a single-app or multi-app kiosk
+
+To set up kiosk mode by using a provisioning package, follow these steps.
+
+1. [Create an XML file that defines the kiosk configuration.](#ppkioskconfig), including a [Start layout](#start-layout-for-hololens).
+2. [Add the XML file to a provisioning package.](#ppconfigadd)
+3. [Apply the provisioning package to HoloLens.](#ppapply)
+
+### Provisioning package, step 1 – Create a kiosk configuration XML file
+
+Follow [the general instructions to create a kiosk configuration XML file for Windows desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#create-xml-file), except for the following:
+
+- Do not include Classic Windows applications (Win32). HoloLens does not support these applications.
+- Use the [placeholder Start layout XML](#start-layout-for-hololens) for HoloLens.
+- Optional: Add guest access to the kiosk configuration
+
+#### Optional: Add guest access to the kiosk configuration
+
+In the [**Configs** section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured to support the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data that is associated with the account is deleted when the account signs out.
+
+To enable the **Guest** account, add the following snippet to your kiosk configuration XML:
```xml
-
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.
 |
-| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) |
-| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. |
-| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). |
-| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
-| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. |
-| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. |
-| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. |
-| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. |
-
-#### For international customers
-
-| Feature | Details |
-| --- | --- |
-| Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.
[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) |
-| Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. |
-
-#### For administrators
-
-| Feature | Details |
-|---|----|
-| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. |
-| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. |
-| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. |
-| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in. |
-| Read device hardware info through MDM so devices can be tracked by serial number | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. |
-| Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. |
-
-### Windows 10, version 1803 for Microsoft HoloLens
-
-> **Applies to:** Hololens (1st gen)
-
-Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:
-
-- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md).
-
-- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq).
-- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard).
-
- 
-
-- When you create a local account in a provisioning package, the password no longer expires every 42 days.
-
-- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes.
-
-- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens.
-
-- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically.
-
-- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business.
-
-- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts.
-
-- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting.
-
-- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly.
-
-- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report.
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index 6cfcb281b0..c8be6947ae 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -66,7 +66,7 @@ There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk m
**How to Configure Kiosk Mode:**
-There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc.
+There are two main ways ([provisioning packages](hololens-kiosk.md#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) and [MDM](hololens-kiosk.md#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc.
### Apps and App Specific Scenarios
diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md
index 561eb79861..2b4e28a971 100644
--- a/devices/hololens/hololens-updates.md
+++ b/devices/hololens/hololens-updates.md
@@ -8,10 +8,11 @@ ms.author: v-tea
audience: ITPro
ms.topic: article
ms.localizationpriority: high
-ms.date: 11/7/2019
+ms.date: 03/24/2020
ms.reviewer: jarrettr
manager: jarrettr
ms.custom:
+- CI 115825
- CI 111456
- CSSTroubleshooting
appliesto:
@@ -21,80 +22,195 @@ appliesto:
# Manage HoloLens updates
-HoloLens uses Windows Update, just like other Windows 10 devices. When an update is available, it will be automatically downloaded and installed the next time your device is plugged in and connected to the Internet.
+HoloLens uses Windows Update in the same manner as other Windows 10 devices. When an update is available, it is automatically downloaded and installed the next time that your device is plugged in and connected to the internet. This article describes how to manage updates in an enterprise or other managed environment. For information about managing updates to individual HoloLens devices, see [Update HoloLens](hololens-update-hololens.md).
-This article will walk through all of the way to manage updates on HoloLens.
+## Manage updates automatically
-## Manually check for updates
+Windows Holographic for Business can use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) to manage updates. All HoloLens 2 devices can use Windows Holographic for Business. Make sure that they use Windows Holographic for Business build 10.0.18362.1042 or a later build. If you have HoloLens (1st gen) devices, you have to [upgrade them to Windows Holographic for Business](hololens1-upgrade-enterprise.md) to manage their updates.
-While HoloLens periodically checks for system updates so you don't have to, there may be circumstances in which you want to manually check.
+Windows Update for Business connects HoloLens devices directly to the Windows Update service. By using Windows Update for Business, you can control multiple aspects of the update process—that is, which devices get which updates at what time. For example, you can roll out updates to a subset of devices for testing, then roll out updates to the remaining devices at a later date. Or, you can define different update schedules for different types of updates.
-To manually check for updates, go to **Settings** > **Update & Security** > **Check for updates**. If the Settings app says your device is up to date, you have all the updates that are currently available.
+> [!NOTE]
+> For HoloLens devices, you can automatically manage feature updates (released twice a year) and quality updates (released monthly or as required, including critical security updates). For more information about update types, see [Types of updates managed by Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb#types-of-updates-managed-by-windows-update-for-business).
-## Go back to a previous version (HoloLens 2)
+You can configure Windows Update for Business settings for HoloLens by using policies in a Mobile Device Management (MDM) solution such as Microsoft Intune.
-In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Advanced Recovery Companion to reset your HoloLens to the earlier version.
+For a detailed discussion about how to use Intune to configure Windows Update for Business, see [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/intune/protect/windows-update-for-business-configure).
-> [!NOTE]
-> Going back to an earlier version deletes your personal files and settings.
+> [!IMPORTANT]
+> Intune provides two policy types for managing updates: *Windows 10 update ring* and *Windows 10 feature updates*. The Windows 10 feature update policy type is in public preview at this time and is not supported for HoloLens.
+>
+> You can use Windows 10 update ring policies to manage HoloLens 2 updates.
-To go back to a previous version of HoloLens 2, follow these steps:
+### Configure update policies for HoloLens 2 or HoloLens (1st gen)
-1. Make sure that you don't have any phones or Windows devices plugged in to your PC.
-1. On your PC, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store.
-1. Download the [most recent HoloLens 2 release](https://aka.ms/hololens2download).
-1. When you have finished these downloads, open **File explorer** > **Downloads**. Right-click the zipped folder that you just downloaded, and select **Extract all** > **Extract** to unzip it.
-1. Connect your HoloLens to your PC using a USB-A to USB-C cable . (Even if you've been using other cables to connect your HoloLens, this one works best.)
-1. The Advanced Recovery Companion automatically detects your HoloLens. Select the **Microsoft HoloLens** tile.
-1. On the next screen, select **Manual package selection** and then select the installation file contained in the folder that you unzipped in step 4. (Look for a file with the .ffu extension.)
-1. Select **Install software**, and follow the instructions.
+This section describes the policies that you can use to manage updates for either HoloLens 2 or HoloLens (1st gen). For information about additional functionality that is available for HoloLens 2, see [Plan and configure update rollouts for HoloLens 2](#plan-and-configure-update-rollouts-for-hololens-2).
-## Go back to a previous version (HoloLens (1st gen))
+The [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update) defines the policies that configure Windows Update for Business.
-In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version.
+> [!NOTE]
+> For details about specific policies that are supported by specific editions of HoloLens, see [Policies supported by HoloLens devices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-devices).
-> [!NOTE]
-> Going back to an earlier version deletes your personal files and settings.
+#### Configure automatic checks for updates
-To go back to a previous version of HoloLens (1st gen), follow these steps:
+You can use the **Update/AllowAutoUpdate** policy to manage automatic update behavior, such as scanning, downloading, and installing updates.
-1. Make sure that you don't have any phones or Windows devices plugged in to your PC.
-1. On your PC, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379).
-1. Download the [HoloLens Anniversary Update recovery package](https://aka.ms/hololensrecovery).
-1. When the downloads finish, open **File explorer** > **Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all** > **Extract** to unzip it.
-1. Connect your HoloLens to your PC using the micro-USB cable that it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)
-1. The WDRT will automatically detect your HoloLens. Select the **Microsoft HoloLens** tile.
-1. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the .ffu extension.)
-1. Select **Install software**, and follow the instructions.
+This policy supports the following values:
-> [!NOTE]
-> If the WDRT doesn't detect your HoloLens, try restarting your PC. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions.
+- **0** - Notify the user when there is an update that is ready to download that applies to the device.
+- **1** - Automatically install the update, and then notify the user to schedule a device restart.
+- **2** - Automatically install the update, and then restart the device. This is the recommended value, and it is the default value for this policy.
-## Use policies to manage updates to HoloLens
+- **3** - Automatically install the update, and then restart at a specified time. Specify the installation day and time. If no day and time are specified, the default is daily at 3 A.M.
-> [!NOTE]
-> HoloLens (1st gen) devices must be [upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md) to manage updates.
+- **4** - Automatically install the update, and then restart the device. This option also sets the Settings page to read-only.
+
+- **5** - Turn off automatic updates.
+
+For more details about the available settings for this policy, see [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate).
+
+> [!NOTE]
+> In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. For more information, see [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
+
+#### Configure an update schedule
To configure how and when updates are applied, use the following policies:
-- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
-- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
-- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
+- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday).
+ - Values: **0**–**7** (0 = every day, 1 = Sunday, 7 = Saturday)
+ - Default value: **0** (every day)
+- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime).
+ - Values: 0–23 (0 = midnight, 23 = 11 P.M.)
+ - Default value: 3 P.M.
-To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates:
+#### For devices that run Windows 10, version 1607 only
-- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
-
-In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure))
-
-For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices and get updates from the Windows Server Update Service (WSUS), instead of Windows Update:
+You can use the following update policies to configure devices to get updates from the Windows Server Update Service (WSUS), instead of Windows Update:
- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice)
- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval)
- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl)
-For more information about using policies to manage HoloLens, see the following articles:
+### Plan and configure update rollouts for HoloLens 2
-- [Policies supported by HoloLens 2](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-2)
-- [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business)
-- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+HoloLens 2 supports more update automation features than HoloLens (1st gen). this is especially true if you use Microsoft Intune to manage Windows Update for Business policy. These features make it easier for you to plan and implement update rollouts across your organization.
+
+#### Plan the update strategy
+
+Windows Updates for Business supports deferral policies. After Microsoft releases an update, you can use a deferral policy to define how long to wait before installing that update on devices. By associating subsets of your devices (referred to as *update rings*) with different deferral policies, you can coordinate an update rollout strategy for your organization.
+
+For example, consider an organization that has 1,000 devices and has to update them in five ways. The organization can create five update rings, as shown in the following table.
+
+|Group |Number of devices |Deferral (days) |
+| ---| :---: | :---: |
+|Grp 1 (IT staff) |5 |0 |
+|Grp 2 (early adopters) |50 |60 |
+|Grp 3 (main 1) |250 |120 |
+|Grp 4 (main 2) |300 |150 |
+|Grp 5 (main 3) |395 |180 |
+
+Here's how the rollout progresses over time to the entire organization.
+
+
+
+#### Configure an update deferral policy
+
+A deferral policy specifies the number of days between the date that an update becomes available and the date that the update is offered to a device.
+
+You can configure different deferrals for feature updates and quality updates. The following table lists the specific policies to use for each type, as well as the maximum deferral for each.
+
+|Category |Policy |Maximum deferral |
+| --- | --- | --- |
+|Feature updates |DeferFeatureUpdatesPeriodInDays |365 days |
+|Quality updates |DeferQualityUpdatesPeriodInDays |30 days |
+
+#### Examples: Using Intune to manage updates
+
+**Example 1: Create and assign an update ring**
+
+For a more detailed version of this example, see [Create and assign update rings](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure#create-and-assign-update-rings).
+
+1. Sign in to the [Microsoft Endpoint Manager Admin Center](https://go.microsoft.com/fwlink/?linkid=2109431), and navigate to your Intune profiles.
+1. Select **Software Updates** > **Windows 10 update rings** > **Create**.
+1. Under **Basics**, specify a name and a description (optional), and then select **Next**.
+1. Under **Update ring settings**, for **Servicing channel**, select **Semi-Annual Channel**, and then change **Feature update deferral period** to **120**. Then, select **Next**.
+1. Under **Assignments**, select **+ Select groups to include**, and then assign the update ring to one or more groups. Use **+ Select groups to exclude** to fine-tune the assignments. Then, select **Next**.
+1. Under **Review + create**, review the settings. When you're ready to save the update ring configuration, select **Create**.
+
+The list of update rings now includes the new Windows 10 update ring.
+
+**Example 2: Pause an update ring**
+
+If you encounter a problem when you deploy a feature or quality update, you can pause the update for 35 days (starting from a specified date). This pause prevents other devices from installing the update until you resolve or mitigate the issue. If you pause a feature update, quality updates are still offered to devices to make sure that they stay secure. After the specified time has passed, the pause automatically expires. At that point, the update process resumes.
+
+To pause an update ring in Intune, follow these steps:
+
+1. On the overview page for the update ring, select **Pause**.
+1. Select the type of update (**Feature** or **Quality**) to pause, and then select **OK**.
+
+When an update type is paused, the Overview pane for that ring displays how many days remain before that update type resumes.
+
+While the update ring is paused, you can select either of the following options:
+
+- To extend the pause period for an update type for 35 days, select **Extend**.
+- To restore updates for that ring to active operation, select **Resume**. You can pause the update ring again if it is necessary.
+
+> [!NOTE]
+> The **Uninstall** operation for update rings is not supported for HoloLens 2 devices.
+
+## Manually check for updates
+
+Although HoloLens periodically checks for system updates so that you don't have to, there may be circumstances in which you want to manually check.
+
+To manually check for updates, go to **Settings** > **Update & Security** > **Check for updates**. If the Settings app indicates that your device is up to date, you have all the updates that are currently available.
+
+## Manually revert an update
+
+In some cases, you might want to go back to a previous version of the HoloLens software. The process for doing this depends on whether you are using HoloLens 2 or HoloLens (1st gen).
+
+### Go back to a previous version (HoloLens 2)
+
+You can roll back updates and return to a previous version of HoloLens 2 by using the Advanced Recovery Companion to reset your HoloLens to the earlier version.
+
+> [!NOTE]
+> Reverting to an earlier version deletes your personal files and settings.
+
+To go back to a previous version of HoloLens 2, follow these steps:
+
+1. Make sure that you don't have any phones or Windows devices plugged in to your computer.
+1. On your computer, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store.
+1. Download the [most recent HoloLens 2 release](https://aka.ms/hololens2download).
+1. When you have finished these downloads, open **File explorer** > **Downloads**, right-click the compressed (zipped) folder that you just downloaded, and then select **Extract all** > **Extract** to expand the file.
+1. Use a USB-A to USB-C cable to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens, this kind of cable works best.
+1. The Advanced Recovery Companion automatically detects your HoloLens device. Select the **Microsoft HoloLens** tile.
+1. On the next screen, select **Manual package selection**, and then open the folder that you previously expanded.
+1. Select the installation file (the file that has an .ffu extension).
+1. Select **Install software**, and then follow the instructions.
+
+### Go back to a previous version (HoloLens (1st gen))
+
+You can roll back updates and return to a previous version of HoloLens (1st gen) by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version.
+
+> [!NOTE]
+> Reverting to an earlier version deletes your personal files and settings.
+
+To go back to a previous version of HoloLens (1st gen), follow these steps:
+
+1. Make sure that you don't have any phones or Windows devices plugged in to your computer.
+1. On your computer, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379).
+1. Download the [HoloLens Anniversary Update recovery package](https://aka.ms/hololensrecovery).
+1. After the downloads finish, open **File explorer** > **Downloads**, right-click the compressed (zipped) folder that you just downloaded, and then select **Extract all** > **Extract** to expand the file.
+1. Use the micro-USB cable that was provided together with your HoloLens device to connect your HoloLens device to your computer. Even if you've been using other cables to connect your HoloLens device, this one works best.
+1. The WDRT automatically detects your HoloLens device. Select the **Microsoft HoloLens** tile.
+1. On the next screen, select **Manual package selection**, and then open the folder that you previously expanded.
+1. Select the installation file (the file that has an .ffu extension).
+1. Select **Install software**, and then follow the instructions.
+
+> [!NOTE]
+> If the WDRT doesn't detect your HoloLens device, try restarting your computer. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions.
+
+## Related articles
+
+- [Deploy updates using Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb)
+- [Assign devices to servicing channels for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates)
+- [Manage Windows 10 software updates in Intune](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure)
diff --git a/devices/hololens/hololens1-release-notes.md b/devices/hololens/hololens1-release-notes.md
new file mode 100644
index 0000000000..4002d4b7ea
--- /dev/null
+++ b/devices/hololens/hololens1-release-notes.md
@@ -0,0 +1,84 @@
+---
+title: HoloLens 1st (Gen) release notes
+description: Learn about updates in each new HoloLens release.
+author: evmill
+ms.author: v-evmill
+manager: yannisle
+ms.prod: hololens
+ms.sitesec: library
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 05/12/2020
+ms.custom:
+- CI 111456
+- CSSTroubleshooting
+audience: ITPro
+appliesto:
+- HoloLens 1
+
+---
+
+# HoloLens 1st (Gen) release notes
+
+### Windows 10 Holographic, version 1809
+
+> **Applies to:** Hololens (1st gen)
+
+| Feature | Details |
+|---|---|
+| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app.
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.
|
+| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) |
+| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. |
+| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). |
+| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
+| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. |
+| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. |
+| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. |
+| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. |
+
+#### For international customers
+
+| Feature | Details |
+| --- | --- |
+| Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.
[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) |
+| Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. |
+
+#### For administrators
+
+| Feature | Details |
+|---|----|
+| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. |
+| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. |
+| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. |
+| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in. |
+| Read device hardware info through MDM so devices can be tracked by serial number | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. |
+| Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. |
+
+### Windows 10, version 1803 for Microsoft HoloLens
+
+> **Applies to:** Hololens (1st gen)
+
+Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:
+
+- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md).
+
+- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq).
+- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard).
+
+- When you create a local account in a provisioning package, the password no longer expires every 42 days.
+
+- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes.
+
+- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens.
+
+- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically.
+
+- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business.
+
+- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts.
+
+- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting.
+
+- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly.
+
+- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report.
diff --git a/devices/hololens/hololens2-autopilot.md b/devices/hololens/hololens2-autopilot.md
new file mode 100644
index 0000000000..5589ec096d
--- /dev/null
+++ b/devices/hololens/hololens2-autopilot.md
@@ -0,0 +1,248 @@
+---
+title: Windows Autopilot for HoloLens 2 evaluation guide
+description:
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 4/10/2020
+ms.prod: hololens
+ms.topic: article
+ms.custom:
+- CI 116283
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: high
+keywords: autopilot
+manager: jarrettr
+appliesto:
+- HoloLens 2
+---
+
+# Windows Autopilot for HoloLens 2 evaluation guide
+
+When you set up HoloLens 2 devices for the Windows Autopilot program, your users can follow a simple process to provision the devices from the cloud.
+
+This Autopilot program supports Autopilot self-deploying mode to provision HoloLens 2 devices as shared devices under your tenant. Self-deploying mode leverages the device's preinstalled OEM image and drivers during the provisioning process. A user can provision the device without putting the device on and going through the Out-of-the-box Experience (OOBE).
+
+
+
+When a user starts the Autopilot self-deploying process, the process completes the following steps:
+
+1. Join the device to Azure Active Directory (Azure AD).
+ > [!NOTE]
+ > Autopilot for HoloLens does not support Active Directory join or Hybrid Azure AD join.
+1. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service).
+1. Download the device-targeted policies, user-targeted apps, certificates, and networking profiles.
+1. Provision the device.
+1. Present the sign-in screen to the user.
+
+## Windows Autopilot for HoloLens 2: Get started
+
+The following steps summarize the process of setting up your environment for the Windows Autopilot for HoloLens 2. The rest of this section provides the details of these steps.
+
+1. Make sure that you meet the requirements for Windows Autopilot for HoloLens.
+1. Enroll in the Windows Autopilot for HoloLens 2 program.
+1. Verify that your tenant is flighted (enrolled to participate in the program).
+1. Register devices in Windows Autopilot.
+1. Create a device group.
+1. Create a deployment profile.
+1. Verify the ESP configuration.
+1. Configure a custom configuration profile for HoloLens devices (known issue).
+1. Verify the profile status of the HoloLens devices.
+
+### 1. Make sure that you meet the requirements for Windows Autopilot for HoloLens
+For the latest information about how to participate in the program, review [Windows Insider Release Notes](hololens-insider.md#windows-insider-release-notes).
+
+Review the following sections of the Windows Autopilot requirements article:
+
+- [Network requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#networking-requirements)
+- [Licensing requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#licensing-requirements)
+- [Configuration requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#configuration-requirements)
+> [!IMPORTANT]
+> Unlike other Windows Autopilot programs, Windows Autopilot for HoloLens 2 has specific operating system requirements.
+
+Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying#requirements)" section of the Windows Autopilot Self-Deploying mode article. Your environment has to meet these requirements as well as the standard Windows Autopilot requirements.
+
+> [!NOTE]
+> You do not have to review the "Step by step" and "Validation" sections of the article. The procedures later in this article provide corresponding steps that are specific to HoloLens.
+
+> [!IMPORTANT]
+> For information about how to register devices and configure profiles, see [4. Register devices in Windows Autopilot](#4-register-devices-in-windows-autopilot) and [6. Create a deployment profile](#6-create-a-deployment-profile) in this article. These sections provide steps that are specific to HoloLens.
+
+Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements:
+
+- The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune.
+- Every device can connect to the internet. You can use a wired or wireless connection.
+- Every device can connect to a computer by using a USB-C cable, and that computer has the following available:
+ - Advanced Recovery Companion (ARC)
+ - The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version)
+
+To configure and manage the Autopilot self-deploying mode profiles, make sure that you have access to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+
+### 2. Enroll in the Windows Autopilot for HoloLens 2 program
+
+To participate in the program, you have to use a tenant that is flighted for HoloLens. To do this, go to [Windows Autopilot for HoloLens Private Preview request](https://aka.ms/APHoloLensTAP) or use the following QR code to submit a request.
+
+
+
+In this request, provide the following information:
+
+- Tenant domain
+- Tenant ID
+- Number of HoloLens 2 devices that are participating in this evaluation
+- Number of HoloLens 2 devices that you plan to deploy by using Autopilot self-deploying mode
+
+### 3. Verify that your tenant is flighted
+
+To verify that your tenant is flighted for the Autopilot program after you submit your request, follow these steps:
+
+1. Sign in to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+1. Select **Devices** > **Windows** > **Windows enrollment** > **Windows Autopilot deployment profiles** > **Create profile**.
+
+ 
+ You should see a list that includes **HoloLens**. If this option is not present, use one of the [Feedback](#feedback) options to contact us.
+
+### 4. Register devices in Windows Autopilot
+
+To register a HoloLens device in the Windows Autopilot program, you have to obtain the hardware hash of the device (also known as the hardware ID). The device can record its hardware hash in a CSV file during the OOBE process, or later when a device owner starts the diagnostic log collection process (described in the following procedure). Typically, the device owner is the first user to sign in to the device.
+
+**Retrieve a device hardware hash**
+
+1. Start the HoloLens 2 device.
+1. On the device, press the Power and Volume Down buttons at the same time and then release them. The device collects diagnostic logs and the hardware hash, and stores them in a set of .zip files.
+1. Use a USB-C cable to connect the device to a computer.
+1. On the computer, open File Explorer. Open **This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents**, and locate the AutopilotDiagnostics.zip file.
+
+ > [!NOTE]
+ > The .zip file may not immediately be available. If the file is not ready yet you may see a HoloLensDiagnostics.temp file in the Documents folder. To update the list of files, refresh the window.
+
+1. Extract the contents of the AutopilotDiagnostics.zip file.
+1. In the extracted files, locate the CSV file that has a file name prefix of "DeviceHash." Copy that file to a drive on the computer where you can access it later.
+ > [!IMPORTANT]
+ > The data in the CSV file should use the following header and line format:
+ > ```
+ > Device Serial Number,Windows Product ID,Hardware Hash,Group Tag,Assigned User
MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes |
| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
-| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Device account, including password rotation | DeviceAccount/*`
See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
-| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set default volume | Properties/DefaultVolume | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set screen timeout | Properties/ScreenTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set session timeout | Properties/SessionTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set sleep timeout | Properties/SleepTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set default volume | Properties/DefaultVolume | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set screen timeout | Properties/ScreenTimeout | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set session timeout | Properties/SessionTimeout | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set sleep timeout | Properties/SleepTimeout | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -97,12 +97,12 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|--------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -110,15 +110,15 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -126,13 +126,13 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -140,7 +140,7 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|-------------------|----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
| Defender status | Use to initiate a Defender scan, force a Security intelligence update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | Yes | Yes | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -150,8 +150,8 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes | No | Yes |
-| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
-| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
+| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -180,7 +180,7 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -188,7 +188,7 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|-------------------|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@@ -196,12 +196,12 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? |
|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
-| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes |
+| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
### Generate OMA URIs for settings
-You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager.
+You need to use a setting's OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager.
**To generate the OMA URI for any setting in the CSP documentation**
1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/
@@ -217,15 +217,13 @@ The data type is also stated in the CSP documentation. The most common data type
- bool (Boolean)
-
## Example: Manage Surface Hub settings with Microsoft Intune
You can use Microsoft Intune to manage Surface Hub settings. For custom settings, follow the instructions in [How to configure custom device settings in Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-configure). For **Platform**, select **Windows 10 and later**, and in **Profile type**, select **Device restrictions (Windows 10 Team)**.
-
-## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager
+## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager
Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs.
> [!NOTE]
@@ -238,26 +236,26 @@ Configuration Manager supports managing modern devices that do not require the C
3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item.
4. Under **Settings for devices managed without the Configuration Manager client**, select **Windows 8.1 and Windows 10**, and then click **Next**.
- 
+ 
5. On the **Supported Platforms** page, expand **Windows 10** and select **All Windows 10 Team and higher**. Unselect the other Windows platforms, and then click **Next**.
- 
+ 
7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**.
8. On the **Windows 10 Team** page, configure the settings you require.
- 
+ 
9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**.
- 
+ 
10. On the **Additional Settings** page, click **Add**.
11. In the **Browse Settings** dialog, click **Create Setting**.
12. In the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting.
13. Under **Setting type**, select **OMA URI**.
14. Complete the form to create a new setting, and then click **OK**.
- 
+ 
15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**.
16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**.
17. Repeat steps 9 to 15 for each custom setting you want to add to the configuration item.
diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md
index a5d76ff156..b217ccee4d 100644
--- a/devices/surface-hub/manage-surface-hub-settings.md
+++ b/devices/surface-hub/manage-surface-hub-settings.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index 4ad681ff5f..10240a192f 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -3,7 +3,7 @@ title: Manage Microsoft Surface Hub
description: How to manage your Surface Hub after finishing the first-run program.
ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: manage Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 2dc9f71874..9dee3e2a4b 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Manage Windows updates on Surface Hub
description: You can manage Windows updates on your Microsoft Surface Hub or Surface Hub 2S by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS).
ms.assetid: A737BD50-2D36-4DE5-A604-55053D549045
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: manage Windows updates, Surface Hub, Windows Server Update Services, WSUS
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md
index 1b09f33999..5ef43af85c 100644
--- a/devices/surface-hub/miracast-over-infrastructure.md
+++ b/devices/surface-hub/miracast-over-infrastructure.md
@@ -6,13 +6,13 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
-ms.date: 06/20/2019
+ms.date: 04/24/2020
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
-# Miracast on existing wireless network or LAN
+# Miracast over infrastructure
In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
@@ -28,7 +28,12 @@ Miracast over Infrastructure offers a number of benefits:
## How it works
-Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+Users attempt to connect to a Miracast receiver through their Wi-Fi adapter as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+
+> [!NOTE]
+> For more information on the connection negotiation sequence, see [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx)
+
+
## Enabling Miracast over Infrastructure
@@ -36,14 +41,19 @@ Users attempt to connect to a Miracast receiver as they did previously. When the
If you have a Surface Hub or other Windows 10 device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
- The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703.
+- Open TCP port: **7250**.
- A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
- As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Surface Hub or device is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
- The DNS Hostname (device name) of the Surface Hub or device needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname.
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-- On Windows 10 PCs, the **Projecting to this PC** feature must be enabled within System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests.
+- On Windows 10 PCs, the **Projecting to this PC** feature must be enabled in System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests that only occur through the Wi-Fi adapter.
It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
The **InBoxApps/WirelessProjection/PinRequired** setting in the [SurfaceHub configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp) is not required for Miracast over Infrastructure. This is because Miracast over Infrastructure only works when both devices are connected to the same enterprise network. This removes the security restriction that was previously missing from Miracast. We recommend that you continue using this setting (if you used it previously) as Miracast will fall back to regular Miracast if the infrastructure connection does not work.
+
+## FAQ
+**Why do I still need Wi-Fi to use Miracast over infrastructure?**
+Discovery requests to identify Miracast receivers can only occur through the Wi-Fi adapter. Once the receivers have been identified, Windows 10 can then attempt the connection to the network.
diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md
index eb33f483d6..c4e2ff5b3e 100644
--- a/devices/surface-hub/miracast-troubleshooting.md
+++ b/devices/surface-hub/miracast-troubleshooting.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 06/20/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index 262c565327..9828a8a268 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -3,7 +3,7 @@ title: Monitor your Microsoft Surface Hub
description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
ms.assetid: 1D2ED317-DFD9-423D-B525-B16C2B9D6942
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: monitor Surface Hub, Microsoft Operations Management Suite, OMS
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 88b0653b00..d35f03b804 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: On-premises deployment single forest (Surface Hub)
description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: single forest deployment, on prem deployment, device account, Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
index f643e4cfe6..170dd03968 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@@ -8,7 +8,7 @@ author: dansimp
ms.author: dansimp
ms.date: 08/28/2018
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 0cd6fc5219..30f0e34b1f 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Online deployment with Office 365 (Surface Hub)
description: This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment.
ms.assetid: D325CA68-A03F-43DF-8520-EACF7C3EDEC1
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: device account for Surface Hub, online deployment
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
index 22e7e1284c..1ef2fcaa46 100644
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Password management (Surface Hub)
description: Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device.
ms.assetid: 0FBFB546-05F0-430E-905E-87111046E4B8
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: password, password management, password rotation, device account
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md
index 6d06a9ac69..aeadcb900a 100644
--- a/devices/surface-hub/physically-install-your-surface-hub-device.md
+++ b/devices/surface-hub/physically-install-your-surface-hub-device.md
@@ -3,7 +3,7 @@ title: Physically install Microsoft Surface Hub
description: The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation.
ms.assetid: C764DBFB-429B-4B29-B4E8-D7F0073BC554
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Surface Hub, readiness guide, installation location, mounting options
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index 198dba4f74..69ca8e6c3e 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Prepare your environment for Microsoft Surface Hub
description: This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub.
ms.assetid: 336A206C-5893-413E-A270-61BFF3DF7DA9
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: prepare environment, features of Surface Hub, create and test device account, check network availability
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md
index 607c66829e..305403b9dc 100644
--- a/devices/surface-hub/provisioning-packages-for-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Create provisioning packages (Surface Hub)
description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages.
ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: add certificate, provisioning package
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md
index 7a9acbe0fd..1794a9bcac 100644
--- a/devices/surface-hub/remote-surface-hub-management.md
+++ b/devices/surface-hub/remote-surface-hub-management.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 6bbfd1532a..12e59349d6 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -3,7 +3,7 @@ title: Save your BitLocker key (Surface Hub)
description: Every Microsoft Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.
ms.assetid: E11E4AB6-B13E-4ACA-BCE1-4EDC9987E4F2
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Surface Hub, BitLocker, Bitlocker recovery keys
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md
index 96f42c3df1..08ca875984 100644
--- a/devices/surface-hub/set-up-your-surface-hub.md
+++ b/devices/surface-hub/set-up-your-surface-hub.md
@@ -3,7 +3,7 @@ title: Set up Microsoft Surface Hub
description: Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program.
ms.assetid: 4D1722BC-704D-4471-BBBE-D0500B006221
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: set up instructions, Surface Hub, setup worksheet, first-run program
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md
index 6043d88f1d..e7352a5dbe 100644
--- a/devices/surface-hub/setup-worksheet-surface-hub.md
+++ b/devices/surface-hub/setup-worksheet-surface-hub.md
@@ -3,7 +3,7 @@ title: Setup worksheet (Surface Hub)
description: When you've finished pre-setup and are ready to start first-time setup for your Microsoft Surface Hub, make sure you have all the information listed in this section.
ms.assetid: AC6F925B-BADE-48F5-8D53-8B6FFF6EE3EB
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Setup worksheet, pre-setup, first-time setup
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/skype-hybrid-voice.md b/devices/surface-hub/skype-hybrid-voice.md
index c805fb9005..910f2d0129 100644
--- a/devices/surface-hub/skype-hybrid-voice.md
+++ b/devices/surface-hub/skype-hybrid-voice.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/support-solutions-surface-hub.md b/devices/surface-hub/support-solutions-surface-hub.md
index b683f85daf..9de0b753f9 100644
--- a/devices/surface-hub/support-solutions-surface-hub.md
+++ b/devices/surface-hub/support-solutions-surface-hub.md
@@ -3,7 +3,7 @@ title: Top support solutions for Microsoft Surface Hub
description: Find top solutions for common issues using Surface Hub.
ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Troubleshoot common problems, setup issues
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-2s-pack-components.md b/devices/surface-hub/surface-hub-2s-pack-components.md
index ff8dbd07ad..2c713a0a21 100644
--- a/devices/surface-hub/surface-hub-2s-pack-components.md
+++ b/devices/surface-hub/surface-hub-2s-pack-components.md
@@ -36,7 +36,7 @@ Use the following steps to pack your Surface Hub 2S 50" for shipment.
| **7.** | Replace the cover and slide the Compute Cartridge back into the unit. | |
| **8.** | Re-fasten the locking screw and slide the cover into place. | |
| **9.** | Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container. | |
-| **10.** | Replace the cover of the shipping container, and insert the four clips. | |
| **11.** | Close the four clips. | |
diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md
index 7493e10c3c..44912c169c 100644
--- a/devices/surface-hub/surface-hub-2s-recover-reset.md
+++ b/devices/surface-hub/surface-hub-2s-recover-reset.md
@@ -60,16 +60,6 @@ Using Surface Hub 2S, you can reinstall the device by using a recovery image. By
When the first-time setup screen appears,remove the USB drive.
-## Recover a locked Surface Hub
-
-At the end of a session, Surface Hub 2S may occasionally encounter an error during the cleanup of user and app data at the end of a session. If this occurs, the device automatically reboots and resumes the data cleanup. However, if this operation repeatedly fails, the device automatically locks to protect user data.
-
-**To unlock a Surface Hub 2S:**
-- Reset or recover the device from the Windows Recovery Environment. For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx)
-
-> [!NOTE]
-> To enter recovery mode, unplug the power cord and plug it in again three times.
-
## Contact Support
If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).
diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md
index 9ad0606641..80c7dbefd1 100644
--- a/devices/surface-hub/surface-hub-authenticator-app.md
+++ b/devices/surface-hub/surface-hub-authenticator-app.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 08/28/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
localizationpriority: medium
---
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index 5e5073588a..79ff342ba9 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 08/22/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/surface-hub-qos.md b/devices/surface-hub/surface-hub-qos.md
index 105a188ae1..aa1b746b8d 100644
--- a/devices/surface-hub/surface-hub-qos.md
+++ b/devices/surface-hub/surface-hub-qos.md
@@ -1,7 +1,7 @@
---
title: Implement Quality of Service on Surface Hub
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Learn how to configure QoS on Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md
index 75feb89fc2..2db5f9706e 100644
--- a/devices/surface-hub/surface-hub-recovery-tool.md
+++ b/devices/surface-hub/surface-hub-recovery-tool.md
@@ -3,7 +3,7 @@ title: Using the Surface Hub Recovery Tool
description: How to use the Surface Hub Recovery Tool to re-image the SSD.
ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: manage Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-security.md b/devices/surface-hub/surface-hub-security.md
new file mode 100644
index 0000000000..4dc2b7518e
--- /dev/null
+++ b/devices/surface-hub/surface-hub-security.md
@@ -0,0 +1,158 @@
+---
+title: "Surface Hub security overview"
+description: "This page explains the Defense in Depth design of Surface Hub and describes security enhancements in Surface Hub 2S, wireless security protections, and related features."
+keywords: separate values with commas
+ms.prod: surface-hub
+ms.sitesec: library
+author: coveminer
+ms.author: v-jokai
+manager: laurawi
+audience: Admin
+ms.topic: article
+ms.date: 03/27/2020
+ms.localizationpriority: High
+---
+# Surface Hub security overview
+
+Surface Hub provides a locked-down computing appliance with custom platform firmware running the Windows 10 Team Edition operating system. The resulting device takes the traditional, "single use" secure kiosk, "only run what you need" philosophy and delivers a modern take on it. Built to support a rich collaborative user experience, Surface Hub is protected against continually evolving security threats.
+
+Built on Windows 10, Surface Hub delivers enterprise-grade modern security enabling IT admins to enforce data protection with BitLocker, Trusted Platform Module 2.0 (TPM), plus cloud-powered security with Windows Defender (also known as Microsoft Defender).
+
+## Defense in Depth security
+
+Security protocols begin as soon as Surface Hub is turned on. Starting at the firmware level, Surface Hub will only load the operating system and its components in response to multiple security checks. Surface Hub employs a strategy called Defense in Depth that involves layering independent defensive sub-components to protect the whole of the system in the event of partial failure. This industry practice has proven to be highly effective in mitigating against potential unilateral exploits and weakness in sub-components.
+
+The modern Unified Extensible Firmware Interface (UEFI) is statically and securely configured by Microsoft to only boot an authenticated Windows 10 Team Edition operating system from internal storage. Every line of code that runs on Surface Hub has its signature verified prior to execution. Only applications signed by Microsoft, either as part of the operating system or installed via the Microsoft Store, can run on the Surface Hub. Code or apps not meeting these requirements are blocked.
+
+Surface Hub security systems include the following:
+
+- **Boot-time defenses.** Loads only trusted Surface Hub operating system components.
+- **Operating system defenses.** Protects against execution of unintended or malicious software or code.
+- **User interface defenses.** Provides a user interface that's safe for end users, preventing access to potentially risky activities such as running executables from the command line.
+
+### Boot-time defenses
+
+The SoC has a security processor that's separate from every other core. When you first start Surface Hub, only the security processor starts before anything else can be loaded.
+
+
+
+#### Secure Boot
+
+Secure Boot is used to verify that the components of the boot process, including drivers and the operating system, are validated against a database of valid and known signatures. On Surface Hub, a platform-specific signature must first be validated before the authorized Windows Team operating system can be loaded. This helps prevent attacks from a cloned or modified system running malicious code hidden in what appears to be an otherwise normal user experience. For more information, see [Secure Boot overview](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot).
+
+### Operating system defenses
+
+Once the operating system is verified as originating from Microsoft and Surface Hub successfully completes the boot process, the device scrutinizes the executable code. Our approach to securing the operating system involves identifying the code signature of all executables, allowing only those that pass our restrictions to be loaded into the runtime. This code signing method enables the operating system to verify the author and confirm that code was not altered prior to running on the device.
+
+Surface Hub uses a code signing feature known as User Mode Code Integrity (UMCI) in Windows Application Control (formerly known as Device Guard). Policy settings are configured to only allow apps that meet one of these requirements:
+
+- Universal Windows Platform (Microsoft Store) apps that are [officially certified](https://docs.microsoft.com/windows/uwp/publish/the-app-certification-process).
+- Apps signed with the unique Microsoft Production Root Certification Authority (CA), which can only be signed by Microsoft employees with authorized access to those certificates.
+- Apps signed with the unique Surface Hub Production Root C.
+
+The configuration file is signed using the Microsoft Production Root CA designed to prevent restrictions from being removed or modified by a third party. All other executables at this point are simply blocked at the operating system runtime level and prevented from accessing processing power. This attack surface reduction provides the following protections:
+
+- No legacy document modes
+- No legacy script engines
+- No Vector Markup Language
+- No Browser Helper Objects
+- No ActiveX controls
+
+In addition to blocking unsigned or incorrectly signed code via UMCI, Surface Hub uses Windows Application Control to block Windows components, such as the Command Prompt, PowerShell, and Task Manager. These safeguards reflect a key design feature of Surface Hub as a secure computing appliance. For more information, see the following:
+
+- [Application Control overview](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
+
+- [Windows Defender Application Control and virtualization-based protection of code integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+
+### User interface defenses
+
+While boot-time defenses and operating system lockdown safeguards deliver foundational security, the user interface provides an additional layer designed to further reduce risk. To prevent malicious code from reaching the device through drivers, Surface Hub does not download advanced drivers for plug and play (PnP) devices. Devices that leverage basic drivers, such as USB flash drives or certified Surface Hub peripherals (speakers, microphones, cameras) work as expected, but advanced systems, such as printers, will not.
+
+User interface defenses also simplify the UI, further preventing the execution of malicious software or code. The following Surface Hub UI elements layer the core security provided by code signing:
+
+- **File Explorer.** Surface Hub has a custom File Explorer that enables quick access to Music, Videos, Documents, Pictures, and Downloads folders — without exposing users to system or program files. Other locations on the local hard drive are not available through File Explorer. In addition, many file types running such as .exe, and .msi installation files cannot run providing another layer of safety against potentially malicious executables.
+
+- **Start & All Apps.** The Start and All Apps components of Surface Hub do not expose access to Command Prompt, PowerShell, or other Windows components blocked via Application Control. In addition, Windows run functionality typically accessed on PCs from the Search box is turned off for Surface Hub.
+
+## Security enhancements in Surface Hub 2S
+
+Although Surface Hub and Surface Hub 2S both run the same operating system software, some features unique to Surface Hub 2S provide additional management and security capabilities enabling IT admins to perform the following tasks:
+
+- Manage UEFI settings with SEMM
+- Recover Hub with bootable USB
+- Harden device account with password rotation
+
+### Manage UEFI settings with SEMM
+
+UEFI is an interface between the underlying hardware platform pieces and the operating system. On Surface Hub, a custom UEFI implementation allows granular control over these settings and prevents any non-Microsoft entity from changing the UEFI settings of the device — or booting to a removable drive to modify or change the operating system.
+
+At a high level, during the factory provisioning process, Surface Hub UEFI is preconfigured to enable Secure Boot and is set to only boot from the internal solid-state drive (SSD), with access to UEFI menus locked down and shortcuts removed. This seals UEFI access and ensures the device can only boot into the Windows Team operating system installed on Surface Hub.
+
+When managed via Microsoft Surface Enterprise Management Mode (SEMM), IT admins can deploy UEFI settings on Hub devices across an organization. This includes the ability to enable or disable built-in hardware components, protect UEFI settings from being changed by unauthorized users, and adjust boot settings.
+
+
+
+Admins can implement SEMM and enrolled Surface Hub 2S devices using the downloadable [Microsoft Surface UEFI Configurator](https://www.microsoft.com/download/details.aspx?id=46703). For more information, see [Secure and manage Surface Hub 2S with SEMM and UEFI](https://docs.microsoft.com/surface-hub/surface-hub-2s-secure-with-uefi-semm).
+Secured using a certificate to protect the configuration from unauthorized tampering or removal, SEMM enables management of the following components:
+
+- Wired LAN
+- Camera
+- Bluetooth
+- Wi-Fi
+- Occupancy sensor
+- IPv6 for PXE Boot
+- Alternate Boot
+- Boot Order Lock
+- USB Boot
+- UEFI front page interface
+ - Devices
+ - Boot
+ - Date/Time
+
+
+### Recover Hub with bootable USB
+
+Surface Hub 2S enables admins to reinstall the device to factory settings using a recovery image in as little as 20 minutes. Typically, you would only need to do this if your Surface Hub is no longer functioning. Recovery is also useful if you have lost the Bitlocker key or no longer have admin credentials to the Settings app.
+
+### Harden device account with password rotation
+
+Surface Hub uses a device account, also known as a "room account" to authenticate with Exchange, Microsoft Teams, and other services. When you enable password rotation, Hub 2S automatically generates a new password every 7 days, consisting of 15-32 characters with a combination of uppercase and lowercase letters, numbers, and special characters. Because no one knows the password, the device account password rotation effectively mitigates associated risk from human error and potential social engineering security attacks.
+
+## Windows 10 enterprise-grade security
+
+In addition to Surface Hub-specific configurations and features addressed in this document, Surface Hub also uses the standard security features of Windows 10. These include:
+
+- **BitLocker**. The Surface Hub SSD is equipped with BitLocker to protect the data on the device. Its configuration follows industry standards. For more information, see [BitLocker overview](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot).
+- **Windows Defender.** The Windows Defender anti-malware engine runs continuously on Surface Hub and works to automatically remediate threats found on Surface Hub. The Windows Defender engine receives updates automatically and is manageable via remote management tools for IT admins. The Windows Defender engine is a perfect example of our Defense in Depth approach: If malware can find a way around our core code-signage-based security solution, it will be caught here. For more information, see [Windows Defender Application Control and virtualization-based protection of code integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).
+- **Plug and play drivers.** To prevent malicious code from reaching the device through drivers, Surface Hub does not download advanced drivers for PnP devices. This allows devices that leverage basic drivers such as USB flash drives to work as expected while blocking more advanced systems such as printers.
+- **Trusted Platform Module 2.0.** Surface Hub has an industry standard discrete Trusted Platform Module (dTPM) for generating and storing cryptographic keys and hashes. The dTPM protects keys used for the verification of boot phases, the BitLocker master key, password-less sign-on key, and more. The dTPM meets [FIPS 140-2 Level 2](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation) certification, the U.S. government computer security standard, and is compliant with [Common Criteria](https://docs.microsoft.com/windows/security/threat-protection/windows-platform-common-criteria) certification used worldwide.
+
+## Wireless security for Surface Hub
+
+Surface Hub uses Wi-Fi Direct / Miracast technology and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design.
+
+Miracast is part of the Wi-Fi Display standard, which itself is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
+
+Wi-Fi Direct or Wi-Fi "peer to peer" (P2P) is a standard released by the Wi-Fi Alliance for "Ad-Hoc" networks. This allows supported devices to communicate directly and create groups of networks without requiring a traditional Wi-Fi Access Point or an Internet connection.
+
+Security for Wi-Fi Direct is provided by WPA2 using the WPS standard. Devices can be authenticated using a numerical pin, a physical or virtual push button, or an out-of-band message using near-field communication. Surface Hub supports both push button by default as well PIN methods. For more information, see [How Surface Hub addresses Wi-Fi Direct security issues](https://docs.microsoft.com/surface-hub/surface-hub-wifi-direct).
+
+## Learn more
+
+- [Secure Boot overview](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-secure-boot)
+
+- [BitLocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
+
+- [Application Control overview](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
+
+- [Secure and manage Surface Hub 2S with SEMM and UEFI](https://docs.microsoft.com/surface-hub/surface-hub-2s-secure-with-uefi-semm)
+
+- [How Surface Hub addresses Wi-Fi Direct security issues](https://docs.microsoft.com/surface-hub/surface-hub-wifi-direct)
+
+- [Windows Defender Application Control and virtualization-based protection of code integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+
+- [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703)
+
+- [FIPS 140-2 Level 2](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation)
+
+- [Common Criteria certification](https://docs.microsoft.com/windows/security/threat-protection/windows-platform-common-criteria)
diff --git a/devices/surface-hub/surface-hub-ssd-replacement.md b/devices/surface-hub/surface-hub-ssd-replacement.md
index 7896a7d634..12f256388d 100644
--- a/devices/surface-hub/surface-hub-ssd-replacement.md
+++ b/devices/surface-hub/surface-hub-ssd-replacement.md
@@ -1,7 +1,7 @@
---
title: Surface Hub SSD replacement
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Learn how to replace the solid state drive in a Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-technical-55.md b/devices/surface-hub/surface-hub-technical-55.md
index 6abc46e411..209e77df4c 100644
--- a/devices/surface-hub/surface-hub-technical-55.md
+++ b/devices/surface-hub/surface-hub-technical-55.md
@@ -1,7 +1,7 @@
---
title: Technical information for 55" Surface Hub
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Specifications for the 55" Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-technical-84.md b/devices/surface-hub/surface-hub-technical-84.md
index 0ba7d45aa1..837883da14 100644
--- a/devices/surface-hub/surface-hub-technical-84.md
+++ b/devices/surface-hub/surface-hub-technical-84.md
@@ -1,7 +1,7 @@
---
title: Technical information for 84" Surface Hub
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Specifications for the 84" Surface Hub
ms.prod: surface-hub
ms.sitesec: library
@@ -134,7 +134,7 @@ RJ11, bottom I/O |  | Connects to room control systems.
---
-***Removable lifting handles on 84” Surface Hub ***
+***Removable lifting handles on 84” Surface Hub***
@@ -142,7 +142,7 @@ RJ11, bottom I/O |  | Connects to room control systems.
---
-***Wall mount threads on back of 84” Surface Hub ***
+***Wall mount threads on back of 84” Surface Hub***
diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md
index 8e584f17b3..673c77e71c 100644
--- a/devices/surface-hub/surface-hub-update-history.md
+++ b/devices/surface-hub/surface-hub-update-history.md
@@ -24,6 +24,23 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
## Windows 10 Team Creators Update 1703
+May 4, 2020—update for Surface Hub 2S
+
+This update is specific to the Surface Hub 2S and provides the driver and firmware updates outlined below:
+
+* Surface USB audio driver - 15.3.6.0
+ * Improves directional audio performance.
+* Intel(R) display audio driver - 10.27.0.5
+ * Improves screen sharing scenarios.
+* Intel(R) graphics driver - 26.20.100.7263
+ * Improves system stability.
+* Surface System driver - 1.7.139.0
+ * Improves system stability.
+* Surface SMC Firmware update - 1.176.139.0
+ * Improves system stability.
+February 28, 2020—update for Surface Hub 2S
diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md
index 8d94858bfa..fc1ada3230 100644
--- a/devices/surface-hub/surface-hub-wifi-direct.md
+++ b/devices/surface-hub/surface-hub-wifi-direct.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 11/27/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
index 0626c4a0d7..4c324d33ce 100644
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ b/devices/surface-hub/surfacehub-whats-new-1703.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 01/18/2018
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index cf02da1a6e..4a30281eff 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -3,7 +3,7 @@ title: Troubleshoot Microsoft Surface Hub
description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Troubleshoot common problems, setup issues, Exchange ActiveSync errors
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index 33233a023b..cf9f2b6339 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -7,7 +7,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index cbc437e783..1ec1e19ab5 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -3,7 +3,7 @@ title: Using a room control system (Surface Hub)
description: Room control systems can be used with your Microsoft Surface Hub.
ms.assetid: DC365002-6B35-45C5-A2B8-3E1EB0CB8B50
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: room control system, Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md
index a6e9524cd2..a1e05d92b5 100644
--- a/devices/surface-hub/whiteboard-collaboration.md
+++ b/devices/surface-hub/whiteboard-collaboration.md
@@ -1,6 +1,6 @@
---
title: Set up and use Microsoft Whiteboard
-description: Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board.
+description: Microsoft Whiteboard's latest update includes the capability for two Surface Hubs to collaborate in real time on the same board.
ms.prod: surface-hub
ms.sitesec: library
author: dansimp
@@ -8,13 +8,13 @@ ms.author: dansimp
ms.topic: article
ms.date: 03/18/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
# Set up and use Microsoft Whiteboard
-The Microsoft Whiteboard app includes the capability for Surface Hubs and other devices to collaborate in real time on the same board.
+The Microsoft Whiteboard app includes the capability for Surface Hubs and other devices with the Microsoft Whiteboard app installed to collaborate in real time on the same board.
## Prerequisites
@@ -48,14 +48,16 @@ On the other device, such as a Surface Hub, when you are signed in, the shared b
- You can also change the background color and design from solid to grid or dots. Pick the background, then choose the color from the wheel around it.
- You can export a copy of the Whiteboard collaboration for yourself through the Share charm and leave the board for others to continue working.
+For more information, see [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d).
+
> [!NOTE]
-> If you are using Whiteboard and cannot sign in, you can collaborate by joining a Teams or Skype for Business meeting, and then sharing your screen. After you’re done, tap **Settings** > **Export to email** or save a copy of the board. The SVG export provides higher resolution than PNG and can be opened in a web browser.
+> If you are using Whiteboard and cannot sign in, you can collaborate by joining a Teams or Skype for Business meeting, and then sharing your screen. After you're done, tap **Settings** > **Export to email** or save a copy of the board. If you choose to export to SVG, it exports vector graphics and provides higher resolution than PNG and can be opened in a web browser.
## New features in Whiteboard
The Microsoft Whiteboard app, updated for Surface Hub on July 1, 2019 includes a host of new features including:
-- **Automatic Saving** - Boards are saved to the cloud automatically when you sign in, and can be found in the board gallery.
+- **Automatic Saving** - Boards are saved to the cloud automatically when you sign in, and can be found in the board gallery. There is no local folder name or directory.
- **Extended collaboration across devices** - You can collaborate using new apps for Windows 10 PC and iOS, and a web version for other devices.
- **Richer canvas** - In addition to ink and images, Whiteboard now includes sticky notes, text and GIFs, with more objects coming soon.
- **Intelligence** – In addition to ink to shape and table, Whiteboard now includes ink beautification to improve handwriting and ink grab to convert images to ink.
@@ -68,3 +70,5 @@ The Microsoft Whiteboard app, updated for Surface Hub on July 1, 2019 includes a
- [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub)
- [Support documentation for Microsoft Whiteboard](https://support.office.com/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01)
+
+- [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d)
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index 0a314fe596..96162edafe 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Wireless network management (Surface Hub)
description: Microsoft Surface Hub offers two options for network connectivity to your corporate network and Internet wireless, and wired. While both provide network access, we recommend you use a wired connection.
ms.assetid: D2CFB90B-FBAA-4532-B658-9AA33CAEA31D
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: network connectivity, wired connection
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 7245176edd..4d8062c985 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -4,6 +4,9 @@
## Overview
+### [What's new in Surface Dock 2](surface-dock-whats-new.md)
+### [Surface Book 3 GPU technical overview](surface-book-GPU-overview.md)
+### [Surface Book 3 Quadro RTX 3000 technical overview](surface-book-quadro.md)
### [Surface Pro 7 for Business](https://www.microsoft.com/surface/business/surface-pro-7)
### [Surface Pro X for Business](https://www.microsoft.com/surface/business/surface-pro-x)
### [Surface Laptop 3 for Business](https://www.microsoft.com/surface/business/surface-laptop-3)
@@ -26,11 +29,11 @@
### [Deploy Surface devices](deploy.md)
### [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md)
+### [Windows Virtual Desktop on Surface](windows-virtual-desktop-surface.md)
### [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md)
### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
-### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
### [Enable the Surface Laptop keyboard during MDT deployment](enable-surface-keyboard-for-windows-pe-deployment.md)
### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
index c677b56488..017f34559f 100644
--- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
+++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
@@ -3,17 +3,16 @@ title: Advanced UEFI security features for Surface Pro 3 (Surface)
description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: security, features, configure, hardware, device, custom, script, update
ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 07/27/2017
---
# Advanced UEFI security features for Surface Pro 3
diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md
index db6a63ad69..296a57b10e 100644
--- a/devices/surface/assettag.md
+++ b/devices/surface/assettag.md
@@ -5,12 +5,11 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.localizationpriority: medium
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 10/21/2019
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
---
# Surface Asset Tag Tool
diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md
index c5d75cda00..0da0c326e7 100644
--- a/devices/surface/battery-limit.md
+++ b/devices/surface/battery-limit.md
@@ -5,14 +5,14 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.date: 10/31/2019
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
+author: coveminer
+ms.reviewer: jesko
+ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.audience: itpro
+manager: laurawi
+audience: itpro
+ms.date: 5/06/2020
---
# Battery Limit setting
@@ -33,6 +33,11 @@ The Surface UEFI Battery Limit setting can be configured by booting into Surface
+## Enabling battery limit on Surface Go and Surface Go 2
+The Surface Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **boot configuration**, and then, under **Kiosk Mode**, move the slider to the right to set Battery Limit to **Enabled**.
+
+
+
## Enabling Battery Limit in Surface UEFI (Surface Pro 3)
The Surface UEFI Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **Kiosk Mode**, select **Battery Limit**, and then choose **Enabled**.
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index 18fc041b85..35be5e736d 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -1,17 +1,16 @@
---
title: Change history for Surface documentation (Windows 10)
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: This topic lists new and updated topics in the Surface documentation library.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 10/21/2019
---
# Change history for Surface documentation
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index 0b9915c4b0..f68989b045 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -6,14 +6,13 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 11/25/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Considerations for Surface and Microsoft Endpoint Configuration Manager
diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md
index 46c321367b..70d53dae71 100644
--- a/devices/surface/customize-the-oobe-for-surface-deployments.md
+++ b/devices/surface/customize-the-oobe-for-surface-deployments.md
@@ -3,18 +3,17 @@ title: Customize the OOBE for Surface deployments (Surface)
description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization.
ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: deploy, customize, automate, network, Pen, pair, boot
ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.audience: itpro
-ms.date: 10/21/2019
---
# Customize the OOBE for Surface deployments
diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
index a03f6e46fa..121be61007 100644
--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@@ -6,14 +6,13 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, store
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 10/21/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Deploy Surface app with Microsoft Store for Business and Education
diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
index 61fc8352df..47f14939db 100644
--- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@@ -6,14 +6,14 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 01/15/2020
ms.reviewer:
-manager: dansimp
+manager: laurawi
+ms.date: 04/24/2020
---
# Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit
@@ -28,779 +28,8 @@ manager: dansimp
- Surface 3
- Windows 10
-This article walks you through the recommended process to deploy Windows 10 to Surface devices with Microsoft deployment technologies. The process described in this article yields a complete Windows 10 environment including updated firmware and drivers for your Surface device along with applications like Microsoft Office 365 and the Surface app.
-
> [!NOTE]
-> MDT is not currently supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
-
-When the process is complete, the Surface device will be ready for use by the end user. You can customize this process to include your own applications and configuration to meet the needs of your organization. You can also follow the guidance provided in this article to integrate deployment to Surface devices into existing deployment strategies.
-
-By following the procedures in this article, you can create an up-to-date reference image and deploy this image to your Surface devices, a process known as *reimaging*. Reimaging will erase and overwrite the existing environment on your Surface devices. This process allows you to rapidly configure your Surface devices with identical environments that can be configured to precisely fit your organization’s requirements.
-
-An alternative to the reimaging process is an upgrade process. The upgrade process is non-destructive and instead of erasing the existing environment on your Surface device, it allows you to install Windows 10 while retaining your user data, applications, and settings. You can read about how to manage and automate the upgrade process of Surface devices to Windows 10 at [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md).
-
-The goal of the deployment process presented in this article is automation. By leveraging the many technologies and tools available from Microsoft, you can create a process that requires only a single touch on the devices being deployed. The automation can load the deployment environment; format the device; prepare an updated Windows image with the drivers required for the device; apply that image to the device; configure the Windows environment with licensing, membership in a domain, and user accounts; install applications; apply any Windows updates that were not included in the reference image; and log out.
-
-By automating each aspect of the deployment process, you not only greatly decrease the effort involved, but you create a process that can be easily repeated and where human error becomes less of a factor. Take for example a scenario where you create a reference image for the device manually, but you accidentally install conflicting applications and cause the image to become unstable. In this scenario you have no choice but to begin again the manual process of creating your image. If in this same scenario you had automated the reference image creation process, you could repair the conflict by simply editing a step in the task sequence and then re-running the task sequence.
-
-## Deployment tools
-
-The deployment process described in this article leverages a number of Microsoft deployment tools and technologies. Some of these tools and technologies are included in Windows client and Windows Server, such as Hyper-V and Windows Deployment Services (WDS), while others are available as free downloads from the [Microsoft Download Center](https://www.microsoft.com/download/windows.aspx).
-
-#### Microsoft Deployment Toolkit
-
-The Microsoft Deployment Toolkit (MDT) is the primary component of a Windows deployment. It serves as a unified interface for most of the Microsoft deployment tools and technologies, such as the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), User State Migration Tool (USMT), and many other tools and technologies. Each of these is discussed throughout this article. The unified interface, called the *Deployment Workbench*, facilitates automation of the deployment process through a series of stored deployment procedures, known as a *task sequence*. Along with these task sequences and the many scripts and tools that MDT provides, the resources for a Windows deployment (driver files, application installation files, and image files) are stored in a network share known as the *deployment share*.
-
-You can download and find out more about MDT at [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741).
-
-#### Windows Assessment and Deployment Kit
-
-Although MDT is the tool you will interact with most during the deployment process, the deployment tools found in the Windows ADK perform most of the deployment tasks during the deployment process. The resources for deployment are held within the MDT deployment share, but it is the collection of tools included in Windows ADK that access the image files, stage drivers and Windows updates, run the deployment experience, provide instructions to Windows Setup, and back up and restore user data.
-
-You can download and find out more about the Windows ADK at [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#windowsadk).
-
-#### Windows 10 installation media
-
-Before you can perform a deployment with MDT, you must first supply a set of operating system installation files and an operating system image. These files and image can be found on the physical installation media (DVD) for Windows 10. You can also find these files in the disk image (ISO file) for Windows 10, which you can download from the [Volume Licensing Service Center (VLSC)](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-
-
->[!NOTE]
->The installation media generated from the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
-
-
-#### Windows Server
-
-Although MDT can be installed on a Windows client, to take full advantage of Windows Deployment Services’ ability to network boot, a full Windows Server environment is recommended. To provide network boot for UEFI devices like Surface with WDS, you will need Windows Server 2008 R2 or later.
-
-
->[!NOTE]
->To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter).
-
-
-#### Windows Deployment Services
-
-Windows Deployment Services (WDS) is leveraged to facilitate network boot capabilities provided by the Preboot Execution Environment (PXE) server. The boot media generated by MDT is loaded onto the Surface device simply by pressing Enter at the prompt when the device attempts to boot from the attached network adapter or Surface Dock.
-
-#### Hyper-V virtualization platform
-
-The process of creating a reference image should always be performed in a virtual environment. When you use a virtual machine as the platform to build your reference image, you eliminate the need for installation of additional drivers. The drivers for a Hyper-V virtual machine are included by default in the factory Windows 10 image. When you avoid the installation of additional drivers – especially complex drivers that include application components like control panel applications – you ensure that the image created by your reference image process will be as universally compatible as possible.
-
->[!NOTE]
->A Generation 1 virtual machine is recommended for the preparation of a reference image in a Hyper-V virtual environment.
-
-Because customizations are performed by MDT at the time of deployment, the goal of reference image creation is not to perform customization but to increase performance during deployment by reducing the number of actions that need to occur on each deployed device. The biggest action that can slow down an MDT deployment is the installation of Windows updates. When MDT performs this step during the deployment process, it downloads the updates on each deployed device and installs them. By installing Windows updates in your reference image, the updates are already installed when the image is deployed to the device and the MDT update process only needs to install updates that are new since the image was created or are applicable to products other than Windows (for example, Microsoft Office updates).
-
-
->[!NOTE]
->Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
-
-
-#### Surface firmware and drivers
-
-For your deployed Windows environment to function correctly on your Surface devices, you will need to install the drivers used by Windows to communicate with the components of your device. These drivers are available for download in the Microsoft Download Center for each Surface device. You can find the correct Microsoft Download Center page for your device at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
-
-When you browse to the specific Microsoft Download Center page for your device, you will find a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. Firmware updates maintain the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. For more information, see [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates).
-
->[!NOTE]
->Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices.
-
-#### Application installation files
-
-In addition to the drivers that are used by Windows to communicate with the Surface device’s hardware and components, you will also need to provide the installation files for any applications that you want to install on your deployed Surface devices. To automate the deployment of an application, you will also need to determine the command-line instructions for that application to perform a silent installation. In this article, the Surface app and Microsoft Office 365 will be installed as examples of application installation. The application installation process can be used with any application with installation files that can be launched from command line.
-
->[!NOTE]
->If the application files for your application are stored on your organization’s network and will be accessible from your Surface devices during the deployment process, you can deploy that application directly from that network location. To use installation files from a network location, use the **Install Application Without Source Files or Elsewhere on the Network** option in the MDT New Application Wizard, which is described in the [Import applications](#import-applications) section later in this article.
-
-#### Microsoft Surface Deployment Accelerator
-
-If you want to deploy only to Surface devices or you want an accelerated method to perform deployment to Surface devices, you can use the Microsoft Surface Deployment Accelerator to generate an MDT deployment share complete with Surface device drivers, Surface apps, and pre-configured task sequences to create a reference image and perform deployment to Surface devices. Microsoft Surface Deployment Accelerator can automatically import boot images into WDS and prepare WDS for network boot (PXE). You can download the Microsoft Surface Deployment Accelerator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
-
-### Install the deployment tools
-
-Before you can configure the deployment environment with Windows images, drivers, and applications, you must first install the deployment tools that will be used throughout the deployment process. The three main tools to be installed are WDS, Windows ADK, and MDT. WDS provides the capacity for network boot, Windows ADK provides several deployment tools that perform specific deployment tasks, and MDT provides automation and a central interface from which to manage and control the deployment process.
-
-To boot from the network with either your reference virtual machines or your Surface devices, your deployment environment must include a Windows Server environment. The Windows Server environment is required to install WDS and the WDS PXE server. Without PXE support, you will be required to create physical boot media, such as a USB stick to perform your deployment – MDT and Windows ADK will still be required, but Windows Server is not required. Both MDT and Windows ADK can be installed on a Windows client and perform a Windows deployment.
-
->[!NOTE]
->To download deployment tools directly to Windows Server, you must disable [Internet Explorer Enhanced Security Configuration](https://technet.microsoft.com/library/dd883248). On Windows Server 2012 R2, this can be performed directly through the **Server Manager** option on the **Local Server** tab. In the **Properties** section, **IE Enhanced Security Configuration** can be found on the right side. You may also need to enable the **File Download** option for the **Internet** zone through the **Security** tab of **Internet Options**.
-
-#### Install Windows Deployment Services
-
-Windows Deployment Services (WDS) is a Windows Server role. To add the WDS role to a Windows Server 2012 R2 environment, use the Add Roles and Features Wizard, as shown in Figure 1. Start the Add Roles and Features Wizard from the **Manage** button of **Server Manager**. Install both the Deployment Server and Transport Server role services.
-
-
-
-*Figure 1. Install the Windows Deployment Services server role*
-
-After the WDS role is installed, you need to configure WDS. You can begin the configuration process from the WDS node of Server Manager by right-clicking your server’s name and then clicking **Windows Deployment Services Management Console**. In the **Windows Deployment Services** window, expand the **Servers** node to find your server, right-click your server, and then click **Configure** in the menu to start the Windows Deployment Services Configuration Wizard, as shown in Figure 2.
-
-
-
-*Figure 2. Configure PXE response for Windows Deployment Services*
-
->[!NOTE]
->Before you configure WDS make sure you have a local NTFS volume that is not your system drive (C:) available for use with WDS. This volume is used to store WDS boot images, deployment images, and configuration.
-
-Using the Windows Deployment Services Configuration Wizard, configure WDS to fit the needs of your organization. You can find detailed instructions for the installation and configuration of WDS at [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426). On the **PXE Server Initial Settings** page, be sure to configure WDS so that it will respond to your Surface devices when they attempt to boot from the network. If you have already installed WDS or need to change your PXE server response settings, you can do so on the **PXE Response** tab of the **Properties** of your server in the Windows Deployment Services Management Console.
-
->[!NOTE]
->You will add boot images to WDS when you update your boot images in MDT. You do not need to add boot images or Windows images to WDS when you configure the role.
-
-#### Install Windows Assessment and Deployment Kit
-
-To install Windows ADK, run the Adksetup.exe file that you downloaded from [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#adkwin10). Windows ADK must be installed before MDT. You should always download and use the most recent version of Windows ADK. A new version is usually released corresponding with each new version of Windows.
-
->[!NOTE]
->You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices.
-
-When you get to the **Select the features you want to install** page, you only need to select the **Deployment Tools** and **Windows Preinstallation Environment (Windows PE)** check boxes to deploy Windows 10 using MDT, as shown in Figure 3.
-
-
-
-*Figure 3. Only Deployment Tools and Windows PE options are required for deployment with MDT*
-
-#### Install Microsoft Deployment Toolkit
-
-After the Windows ADK installation completes successfully, you can install MDT. When you download MDT, ensure that you download the version that matches the architecture of your deployment server environment. For Windows Server the architecture is 64-bit. Download the MDT installation file that ends in **x64**. When MDT is installed you can use the default options during the installation wizard, as shown in Figure 4.
-
-
-
-*Figure 4. Install the Microsoft Deployment Toolkit with default options*
-
-Before you can open the MDT Deployment Workbench, you must enable execution of scripts in PowerShell. If you do not do this, the following error message may be displayed: *"Initialization Error PowerShell is required to use the Deployment Workbench. Please install PowerShell then relaunch Deployment Workbench."*
-
-To enable the execution of scripts, run the following cmdlet in PowerShell as an Administrator:
-
- `Set-ExecutionPolicy RemoteSigned -Scope CurrentUser`
-
-## Create a reference image
-
-Now that you have installed the required tools, you can begin the first step of customizing your deployment environment to your needs – create a reference image. Because the reference image should be created in a virtual machine where there is no need for drivers to be installed, and because the reference image will not include applications, you can use the MDT deployment environment almost entirely with default settings.
-
-### Create a deployment share
-
-Now that you have the tools installed, the next step is to configure MDT for the creation of a reference image. Before you can perform the process of creating a reference image, MDT needs to be set up with a repository for scripts, images, and other deployment resources. This repository is known as the *deployment share*. After the deployment share is created, you must supply MDT with a complete set of Windows 10 installation files, the last set of tools required before MDT can perform reference image creation.
-
-To create the deployment share, follow these steps:
-
-1. Open the Deployment Workbench from your Start menu or Start screen, as shown in Figure 5.
-
- 
-
- *Figure 5. The MDT Deployment Workbench*
-
-2. Right-click the **Deployment Shares** folder, and then click **New Deployment Share** to start the New Deployment Share Wizard, as shown in Figure 6.
-
- 
-
- *Figure 6. The Summary page of the New Deployment Share Wizard*
-
-3. Create a new deployment share with New Deployment Share Wizard with the following steps:
-
- * **Path** – Specify a local folder where the deployment share will reside, and then click **Next**.
-
- >[!NOTE]
- >Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that is not your system volume.
-
- * **Share** – Specify a name for the network share under which the local folder specified on the **Path** page will be shared, and then click **Next**.
-
- >[!NOTE]
- >The share name cannot contain spaces.
-
- >[!NOTE]
- >You can use a Dollar Sign (**$**) to hide your network share so that it will not be displayed when users browse the available network shares on the server in File Explorer.
-
- * **Descriptive Name** – Enter a descriptive name for the network share (this descriptive name can contain spaces), and then click **Next**. The descriptive name will be the name of the folder as it appears in the Deployment Workbench.
- * **Options** – You can accept the default options on this page. Click **Next**.
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the deployment share.
- * **Progress** – While the deployment share is being created, a progress bar is displayed on this page to indicate the status of the deployment share creation process.
- * **Confirmation** – When the deployment share creation process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Deployment Share Wizard.
-
-4. When the New Deployment Share Wizard is complete, you can expand the Deployment Shares folder to find your newly created deployment share.
-5. You can expand your deployment share, where you will find several folders for the resources, scripts, and components of your MDT deployment environment are stored.
-
-To secure the deployment share and prevent unauthorized access to the deployment resources, you can create a local user on the deployment share host and configure permissions for that user to have read-only access to the deployment share only. It is especially important to secure access to the deployment share if you intend to automate the logon to the deployment share during the deployment boot process. By automating the logon to the deployment share during the boot of deployment media, the credentials for that logon are stored in plaintext in the bootstrap.ini file on the boot media.
-
->[!NOTE]
->If you intend to capture images (such as the reference image) with this user, the user must also have write permission on the Captures folder in the MDT deployment share.
-
-You now have an empty deployment share that is ready for you to add the resources that will be required for reference image creation and deployment to Surface devices.
-
-### Import Windows installation files
-
-The first resources that are required to perform a deployment of Windows are the installation files from Windows 10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO file like the download from the Volume Licensing Service Center (VLSC).
-
->[!NOTE]
->A 64-bit operating system is required for compatibility with Surface devices except Surface Pro X which cannot be managed with MDT.
-
-To import Windows 10 installation files, follow these steps:
-
-1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench, and then click **New Folder** to open the **New Folder** page, as shown in Figure 7.
-
- 
-
- *Figure 7. Create a new folder on the New Folder page*
-
-2. On the **New Folder** page a series of steps is displayed, as follows:
- * **General Settings** – Enter a name for the folder in the **Folder Name** field (for example, Windows 10 Enterprise), add any comments you want in the **Comments** field, and then click **Next**.
- * **Summary** – Review the specified configuration of the new folder on this page, and then click **Next**.
- * **Progress** – A progress bar will be displayed on this page while the folder is created. This page will likely pass very quickly.
- * **Confirmation** – When the new folder has been created, a **Confirmation** page displays the success of the operation. Click **Finish** to close the **New Folder** page.
-3. Expand the Operating Systems folder to see the newly created folder.
-4. Right-click the newly created folder, and then click **Import Operating System** to launch the Import Operating System Wizard, as shown in Figure 8.
-
- 
-
- *Figure 8. Import source files with the Import Operating System Wizard*
-
-5. The Import Operating System Wizard walks you through the import of your operating system files, as follows:
- * **OS Type** – Click **Full Set of Source Files** to specify that you are importing the Windows source files from installation media, and then click **Next**.
- * **Source** – Click **Browse**, move to and select the folder or drive where your installation files are found, and then click **Next**.
- * **Destination** – Enter a name for the new folder that will be created to hold the installation files, and then click **Next**.
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
- * **Progress** – While the installation files are imported, a progress bar is displayed on this page.
- * **Confirmation** – When the operating system import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Operating System Wizard.
-6. Expand the folder you created in Step 1 to see the entry for your newly imported installation files for Windows 10.
-
-Now that you’ve imported the installation files from the installation media, you have the files that MDT needs to create the reference image and you are ready to instruct MDT how to create the reference image to your specifications.
-
-### Create reference image task sequence
-
-As described in the [Deployment tools](#deployment-tools) section of this article, the goal of creating a reference image is to keep the Windows environment as simple as possible while performing tasks that would be common to all devices being deployed. You should now have a basic MDT deployment share configured with default options and a set of unaltered, factory installation files for Windows 10. This simple configuration is perfect for reference image creation because the deployment share contains no applications or drivers to interfere with the process.
-
->[!NOTE]
->For some organizations keeping a simple deployment share without applications or drivers is the simplest solution for creation of reference images. You can easily connect to more than one deployment share from a single Deployment Workbench and copy images from a simple, reference-image-only deployment share to a production deployment share complete with drivers and applications.
-
-To create the reference image task sequence, follow these steps:
-
-1. Right-click the **Task Sequences** folder under your deployment share in the Deployment Workbench, and then click **New Task Sequence** to start the New Task Sequence Wizard, as shown in Figure 9.
-
- 
-
- *Figure 9. Create a new task sequence to deploy and update a Windows 10 reference environment*
-
-2. The New Task Sequence Wizard presents a series of steps, as follows:
- * **General Settings** – Enter an identifier for the reference image task sequence in the **Task Sequence ID** field, a name for the reference image task sequence in the **Task Sequence Name** field, and any comments for the reference image task sequence in the **Task Sequence Comments** field, and then click **Next**.
- >[!NOTE]
- >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
- * **Select Template** – Select **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
- * **Select OS** – Navigate to and select the Windows 10 image you imported with the Windows 10 installation files, and then click **Next**.
- * **Specify Product Key** – Click **Do Not Specify a Product Key at This Time**, and then click **Next**.
- * **OS Settings** – Enter a name, organization, and home page URL in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
- * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
- >[!NOTE]
- >During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments.
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
- * **Progress** – While the task sequence is created, a progress bar is displayed on this page.
- * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
-3. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
-4. Select the **Task Sequence** tab to view the steps that are included in the Standard Client Task Sequence template, as shown in Figure 10.
-
- 
-
- *Figure 10. Enable Windows Update in the reference image task sequence*
-
-5. Select the **Windows Update (Pre-Application Installation)** option, located under the **State Restore** folder.
-6. Click the **Options** tab, and then clear the **Disable This Step** check box.
-7. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option.
-8. Click **OK** to apply changes to the task sequence, and then close the task sequence properties window.
-
-### Generate and import MDT boot media
-
-To boot the reference virtual machine from the network, the MDT deployment share first must be updated to generate boot media with the resources that have been added in the previous sections.
-
-To update the MDT boot media, follow these steps:
-
-1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard, as shown in Figure 11.
-
- 
-
- *Figure 11. Generate boot images with the Update Deployment Share Wizard*
-
-2. Use the Update Deployment Share Wizard to create boot images with the following process:
- * **Options** – Click **Completely Regenerate the Boot Images**, and then click **Next**.
- >[!NOTE]
- >Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page.
- * **Summary** – Review the specified options on this page before you click **Next** to begin generation of boot images.
- * **Progress** – While the boot images are being generated, a progress bar is displayed on this page.
- * **Confirmation** – When the boot images have been generated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
-3. Confirm that boot images have been generated by navigating to the deployment share in File Explorer and opening the Boot folder. The following files should be displayed, as shown in Figure 12:
- * **LiteTouchPE_x86.iso**
- * **LiteTouchPE_x86.wim**
- * **LiteTouchPE_x64.iso**
- * **LiteTouchPE_x64.wim**
-
-
- 
-
- *Figure 12. Boot images displayed in the Boot folder after completion of the Update Deployment Share Wizard*
-
-To import the MDT boot media into WDS for PXE boot, follow these steps:
-
-1. Open Windows Deployment Services from the Start menu or Start screen.
-2. Expand **Servers** and your deployment server.
-3. Click the **Boot Images** folder, as shown in Figure 13.
-
- 
-
- *Figure 13. Start the Add Image Wizard from the Boot Images folder*
-
-4. Right-click the **Boot Images** folder, and then click **Add Boot Image** to open the Add Image Wizard, as shown in Figure 14.
-
- 
-
- *Figure 14. Import the LiteTouchPE_x86.wim MDT boot image*
-
-5. The Add Image Wizard displays a series of steps, as follows:
- * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, click **Open**, and then click **Next**.
- * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
- * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
- * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
-
->[!NOTE]
->Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V virtual machines like the reference virtual machine.
-
-If your WDS configuration is properly set up to respond to PXE clients, you should now be able to boot from the network with any device with a network adapter properly configured for network boot (PXE).
-
->[!NOTE]
->If your WDS server resides on the same server as DHCP or in a different subnet than the devices you are attempting to boot, additional configuration may be required. For more information, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351).
-
-### Deploy and capture a reference image
-
-Your deployment environment is now set up to create a reference image for Windows 10 complete with Windows Updates.
-
->[!NOTE]
->You cannot install version updates (such as Windows 10, Version 1511) in a reference image. To create a reference image with a new version of Windows, you must use installation files from that version of Windows. When you install a version update in Windows, it effectively performs an upgrade to a new version of Windows, and upgraded installations of Windows cannot be prepared for deployment with Sysprep.
-By using a fully automated task sequence in an MDT deployment share dedicated to reference image creation, you can greatly reduce the time and effort required to create new reference images and it is the best way to ensure that your organization is ready for feature updates and new versions of Windows 10.
-
-You can now boot from the network with a virtual machine to run the prepared task sequence and generate a reference image. When you prepare your virtual machine in Hyper-V for reference image creation, consider the following:
-
-* Use a Generation 1 virtual machine for the simplicity of drivers and to ensure maximum compatibility with both BIOS and UEFI devices.
-* Ensure your virtual machine has at least 1 GB of system memory at boot. You can ensure that the virtual machine has at least 1 GB of memory at boot but allow the memory to adjust after boot by using Dynamic Memory. You can read more about Dynamic Memory in the [Hyper-V Dynamic Memory Overview](https://technet.microsoft.com/library/hh831766).
-* Ensure your virtual machine uses a legacy network adapter to support network boot (PXE); that network adapter should be connected to the same network as your deployment server, and that network adapter should receive an IP address automatically via DHCP.
-* Configure your boot order such that PXE Boot is the first option.
-
-When your virtual machine (VM) is properly configured and ready, start or boot the VM and be prepared to press the F12 key when prompted to boot via PXE from the WDS server.
-
-Perform the reference image deployment and capture using the following steps:
-
-1. Start your virtual machine and press the F12 key when prompted to boot to the WDS server via PXE, as shown in Figure 15.
-
- 
-
- *Figure 15. Start network boot by pressing the F12 key*
-
-2. Click **Run the Deployment Wizard to Install a New Operating System** to begin the MDT deployment process.
-3. Enter your MDT username and password, a user with rights to access the MDT deployment share over the network and with rights to write to the Captures folder in the deployment share.
-4. After your credentials are validated, the Windows Deployment Wizard will start and process the boot and deployment share rules.
-5. The Windows Deployment Wizard displays a series of steps, as follows:
- * **Task Sequence** – Select the task sequence you created for reference image creation (it should be the only task sequence available), and then click **Next**.
- * **Computer Details** – Leave the default computer name, workgroup name, and the **Join a Workgroup** option selected, and then click **Next**. The computer name and workgroup will be reset when the image is prepared by Sysprep and captured.
- * **Move Data and Settings** – Leave the default option of **Do Not Move User Data and Settings** selected, and then click **Next**.
- * **User Data (Restore)** – Leave the default option of **Do Not Restore User Data and Settings** selected, and then click **Next**.
- * **Locale and Time** – Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**.
- * **Capture Image** – Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**.
-
- 
-
- *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment*
-
- * **Ready** – You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image.
-
-6. Your reference task sequence will run with the specified options.
-
-As the task sequence processes the deployment, it will automatically perform the following tasks:
-* Install the Windows 10 image from the installation files you supplied
-* Reboot into Windows 10
-* Run Windows updates until all Windows updates have been installed and the Windows environment is fully up to date
-* Run Sysprep and prepare the Windows 10 environment for deployment
-* Reboot into WinPE
-* Capture an image of the Windows 10 environment and store it in the Captures folder in the MDT deployment share
-
->[!NOTE]
->The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to perform your deployment.
-
-When the task sequence completes, your virtual machine will be off and a new reference image complete with updates will be ready in your MDT deployment share for you to import it and prepare your deployment environment for deployment to Surface devices.
-
-## Deploy Windows 10 to Surface devices
-
-With a freshly prepared reference image, you are now ready to configure the deployment process for deployment to the Surface devices. Use the steps detailed in this section to produce a deployment process that requires minimal effort on each Surface device to produce a complete and ready-to-use Windows 10 environment.
-
-### Import reference image
-
-After the reference image has been created and stored in the Captures folder, you need to add it to your MDT deployment share as an image for deployment. You perform this task by using the same process that you used to import the installation files for Windows 10.
-
-To import the reference image for deployment, use the following steps:
-
-1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench or the folder you created in when you imported Windows 10 installation files, and then click **Import Operating System** to start the Import Operating System Wizard.
-2. Import the custom image with the Import Operating System Wizard by using the following steps:
- * **OS Type** – Select Custom Image File to specify that you are importing the Windows source files from installation media, and then click **Next**.
- * **Image** – Click **Browse**, and then navigate to and select the image file in the **Captures** folder in your deployment share. Select the **Move the Files to the Deployment Share Instead of Copying Them** checkbox if desired. Click **Next**.
- * **Setup** – Click **Setup Files are not Neededf**, and then click **Next**.
- * **Destination** – Enter a name for the new folder that will be created to hold the image file, and then click **Next**.
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
- * **Progress** – While the image is imported, a progress bar is displayed on this page.
- * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Operating System Wizard.
-3. Expand the folder in which you imported the image to verify that the import completed successfully.
-
->[!NOTE]
->You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media.
-
-Now that your updated reference image is imported, it is time to prepare your deployment environment for deployment to Surface devices complete with drivers, applications, and automation.
-
-### Import Surface drivers
-
-Before you can deploy your updated reference image to Surface devices, or any physical environment, you need to supply MDT with the drivers that Windows will use to communicate with that physical environment. For Surface devices you can download all of the drivers required by Windows in a single archive (.zip) file in a format that is ready for deployment. In addition to the drivers that are used by Windows to communicate with the hardware and components, Surface firmware and driver packs also include updates for the firmware of those components. By installing the Surface firmware and driver pack, you will also bring your device’s firmware up to date. If you have not done so already, download the drivers for your Surface device listed at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
-
-Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10 deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder structure in **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec05).
-
-To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow these steps:
-
-1. Extract the downloaded archive (.zip) file to a folder that you can easily locate. Keep the driver files separate from other drivers or files.
-2. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share.
-3. If you have not already created a folder structure by operating system version, you should do so now and create under the Windows 10 x64 folder a new folder for Surface Pro 4 drivers named Surface Pro 4. Your Out-of-Box Drivers folder should resemble the following structure, as shown in Figure 17:
- * WinPE x86
- * WinPE x64
- * Windows 10 x64
- * Microsoft Corporation
- * Surface Pro 4
-
- 
-
- *Figure 17. The recommended folder structure for drivers*
-
-4. Right-click the **Surface Pro 4** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 18.
-
- 
-
- *Figure 18. The Progress page during drivers import*
-
-5. The Import Driver Wizard displays a series of steps, as follows:
- * **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 4 firmware and drivers in Step 1.
- * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
- * **Progress** – While the drivers are imported, a progress bar is displayed on this page.
- * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
-6. Click the **Surface Pro 4** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 19.
-
- 
-
- *Figure 19. Drivers for Surface Pro 4 imported and organized in the MDT deployment share*
-
-### Import applications
-
-You can import any number of applications into MDT for installation on your devices during the deployment process. You can configure your applications and task sequences to prompt you during deployment to pick and choose which applications are installed, or you can use your task sequence to explicitly define which applications are installed. For more information, see **Step 4: Add an application** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec04).
-
-#### Import Microsoft Office 365 Installer
-
-The Office Deployment Tool is a free download available in the Microsoft Download Center that allows IT professionals and system administrators to download and prepare Office installation packages for Office Click-to-Run. You can find the Office Deployment Tool and instructions to download Click-to-Run for Office 365 installation source files at [Download Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/library/jj219424).
-
-Download and install the version of Office Deployment Tool (ODT), for Office 2013 or Office 2016, that fits your organization’s needs and use the steps provided by that page to download the Office installation files for use with MDT.
-
-After you have downloaded the source files for your version of Office Click-to-Run, you need to edit the Configuration.xml file with instructions to install Office Click-to-Run silently. To configure the Office Deployment Tool for silent installation, follow these steps:
-
-1. Right-click the existing **Configuration.xml** file, and then click **Edit**.
-2. This action opens the file in Notepad. Replace the existing text with the following:
- ```
-
Photography
Video | Graphic design
Photography
Video | Al-powered Workflows
App certifications
High-res video
Pro broadcasting
Multi-app workflows |
+| **Key apps** | Adobe Creative Suite | Adobe Creative Suite | Adobe Creative Suite
Autodesk AutoCAD
Dassault Systemes SolidWorks |
+| **GPU acceleration** | Video and image processing | Video and image processing | Ray tracing + AI + 6K video
Pro broadcasting features
Enterprise support |
+
+
+
+**Table 2. GPU tech specs on Surface Book 3**
+
+| | **GeForce GTX 1650** | **GeForce GTX 1660 Ti** | **Quadro RTX 3000** |
+| -------------------------------------------------------- | -------------------- | ----------------------- | ------------------- |
+| **NVIDIA CUDA processing cores** | 1024 | 1536 | 1920 |
+| **NVIDIA Tensor Cores** | No | No | 240 |
+| **NVIDIA RT Cores** | No | No | 30 |
+| **GPU memory** | 4 GB | 6 GB | 6 GB |
+| **Memory Bandwidth (GB/sec)** | Up to 112 | Up to 288 | Up to 288 |
+| **Memory type** | GDDR5 | GDDR6 | GDDR6 |
+| **Memory interface** | 128-bit | 192-bit | 192-bit |
+| **Boost clock MHz** | 1245 | 1425 | 1305 |
+| **Base clock (MHz)** | 1020 | 1245 | 765 |
+| **Real-time ray tracing** | No | No | Yes |
+| **AI hardware acceleration** | No | No | Yes |
+| **Hardware Encoder** | Yes | Yes | Yes |
+| **Game Ready Driver (GRD)** | Yes 1 | Yes 1 |Yes 2
+| **Studio Driver (SD)** | Yes 1 | Yes1 | Yes 1 |
+| **Optimal Driver for Enterprise (ODE)** | No | No | Yes |
+| **Quadro New Feature Driver (QNF)** | No | No | Yes |
+| **Microsoft DirectX 12 API, Vulkan API, Open GL 4.6** | Yes | Yes | Yes |
+| **High-bandwidth Digital Content Protection (HDCP) 2.2** | Yes | Yes | Yes |
+| **NVIDIA GPU Boost** | Yes | Yes | Yes |
+
+
+ 1. *Recommended*
+ 2. *Supported*
+
+## Optimizing power and performance on Surface Book 3
+
+Windows 10 includes a Battery Saver mode with a performance slider that lets you maximize app performance (by sliding it to the right) or preserve battery life (by sliding it to the left). Surface Book 3 implements this functionality algorithmically to optimize power and performance across the following components:
+
+- CPU Energy Efficiency Registers (Intel Speed Shift technology) and other SoC tuning parameters to maximize efficiency.
+- Fan Maximum RPM with four modes: quiet, nominal, performance, and max.
+- Processor Power Caps (PL1/PL2).
+- Processor IA Turbo limitations.
+
+By default, when the battery drops below 20 percent, the Battery Saver adjusts settings to extend battery life. When connected to power, Surface Book 3 defaults to “Best Performance” settings to ensure apps run in high performance mode on the secondary NVIDIA GPU present on all i7 Surface Book 3 systems.
+
+Using default settings is recommended for optimal performance when used as a laptop or detached in tablet or studio mode. You can access Battery Saver by selecting the battery icon on the far right of the taskbar.
+
+### Game mode
+
+Surface Book 3 includes a new game mode that automatically selects maximum performance settings when launched.
+
+### Safe Detach
+
+New in Surface Book 3, apps enabled for Safe Detach let you disconnect while the app is using the GPU. For supported apps like *World of Warcraft*, your work is moved to the iGPU.
+
+### Modifying app settings to always use a specific GPU
+
+You can switch between the power-saving but still capable built-in Intel graphics and the more powerful discrete NVIDIA GPU and associate a GPU with a specific app. By default, Windows 10 automatically chooses the appropriate GPU, assigning graphically demanding apps to the discrete NVIDIA GPU. In most instances there is no need to manually adjust these settings. However, if you frequently detach and reattach the display from the keyboard base while using a graphically demanding app, you’ll typically need to close the app prior to detaching. To enable continuous use of the app without having to close it every time you detach or reattach the display, you can assign it to the integrated GPU, albeit with some loss of graphics performance.
+
+In some instances, Windows 10 may assign a graphically demanding app to be iGPU; for example, if the app is not fully optimized for hybrid graphics. To remedy this, you can manually assign the app to the discrete NVIDIA GPU.
+
+**To configure apps using custom per-GPU options:**
+
+1. Go to **Settings** > **System** > **Display** and select **Graphics Settings**.
+
+ 1. For a Windows desktop program, choose **Classic App** > **Browse** and then locate the program.
+ 2. For a UWP app, choose **Universal App** and then select the app from the drop-down list.
+
+2. Select **Add** to create a new entry on the list for your selected program, select Options to open Graphics Specifications, and then select your desired option.
+
+ 
+
+3. To verify which GPU are used for each app, open **Task Manager,** select **Performance,** and view the **GPU Engine** column.
+
+
+## Appendix A: Surface Book 3 SKUs
+
+| **Display** | **Processor** | **GPU** | **RAM** | **Storage** |
+| ------------- | --------------------------------- | ---------------------------------------------------------------------------------------------------- | ---------- | ----------- |
+| **13.5-inch** | Quad-core 10th Gen Core i5-1035G7 | Intel Iris™ Plus Graphics | 16 LPDDR4x | 256 GB |
+| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 16 LPDDR4x | 256 GB |
+| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 32 LPDDR4x | 512 GB |
+| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 32 LPDDR4x | 1 TB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 16 LPDDR4x | 256 GB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 2 TB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB |
+| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB |
+
+> [!NOTE]
+> 2TB SSD available in U.S. only: Surface Book 3 15” with NVIDIA GTX 1660Ti
+
+## Summary
+
+Built for performance, Surface Book 3 includes different GPU configurations optimized to meet specific workload and use requirements. An integrated Intel Iris graphics GPU functions as the sole GPU on the entry-level core i5 device and as a secondary GPU on all other models. GeForce GTX 1650 features a major upgrade of the core streaming multiprocessor to run complex graphics more efficiently. The faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements making it better for consumers, gamers, live streamers, and creative professionals. Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance.
+
+
+## Learn more
+
+- [Surface Book 3 Quadro RTX 3000 technical overview](surface-book-quadro.md)
+- [Surface for Business](https://www.microsoft.com/surface/business)
diff --git a/devices/surface/surface-book-quadro.md b/devices/surface/surface-book-quadro.md
new file mode 100644
index 0000000000..79fb762dba
--- /dev/null
+++ b/devices/surface/surface-book-quadro.md
@@ -0,0 +1,136 @@
+---
+title: Surface Book 3 GPU technical overview
+description: This article describes the advanced capabilities enabled by Nvidia Quadro RTX 3000 in select Surface Book 3 for Business 15-inch models.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.localizationpriority: medium
+ms.sitesec: library
+author: coveminer
+ms.author: v-jokai
+ms.topic: article
+ms.date: 5/06/2020
+ms.reviewer: brrecord
+manager: laurawi
+audience: itpro
+---
+
+# Surface Book 3 Quadro RTX 3000 technical overview
+
+Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, advanced graphics, and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3:
+
+- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing.
+- **Artificial Intelligence** - Remove redundant, tedious tasks and compute intensive work with 240 Tensor Cores for GPU-accelerated AI.
+- **Advanced Graphics and Compute Technology** - Experience remarkable speed and interactivity during your most taxing graphics and compute workloads with 1,920 CUDA Cores and 6GB of GDDR6 memory.
+
+## Enterprise grade solution
+
+Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs providing an additional layer of quality assurance to validate stability, reliability, and performance.
+
+Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
+
+NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
+
+
+## Built for compute-intensive workloads
+
+Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
+
+- **Creative professionals such as designers and animators.** Quadro RTX enables real-time cinematic-quality rendering through Turing-optimized ray tracing APIs such as NVIDIA OptiX, Microsoft DXR, and Vulkan.
+- **Architects and engineers using large, complex computer aided design (CAD) models and assemblies.** The RTX platform features the new NGX SDK to infuse powerful AI-enhanced capabilities into visual applications. This frees up time and resources through intelligent manipulation of images, automation of repetitive tasks, and optimization of compute-intensive processes.
+- **Software developers across manufacturing, media & entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs.
+- **Data scientists using Tensor Cores and CUDA cores to accelerate computationally intensive tasks and other deep learning operations.** By using sensors, increased connectivity, and deep learning, researchers and developers can enable AI applications for everything from autonomous vehicles to scientific research.
+
+
+**Table 1. Quadro RTX 3000 performance features**
+
+| **Component** | **Description** |
+| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. |
+| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. |
+| Turing optimized software | Deep learning frameworks such as the Microsoft Cognitive Toolkit (CNTK), Caffe2, MXNet, TensorFlow, and others deliver significantly faster training times and higher multi-node training performance. GPU accelerated libraries such as cuDNN, cuBLAS, and TensorRT deliver higher performance for both deep learning inference and High-Performance Computing (HPC) applications. |
+| NVIDIA CUDA parallel computing platform | Natively execute standard programming languages like C/C++ and Fortran, and APIs such as OpenCL, OpenACC and Direct Compute to accelerate techniques such as ray tracing, video and image processing, and computation fluid dynamics. |
+| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain best application performance. |
+| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer making it the ideal platform for handling large datasets and latency-sensitive applications. |
+| Single instruction, multiple thread (SIMT) | New independent thread scheduling capability enables finer-grain synchronization and cooperation between parallel threads by sharing resources among small jobs. |
+| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. |
+| Dynamic load balancing | Provides dynamic allocation capabilities of GPU resources for graphics and compute tasks as needed to maximize resource utilization. |
+| Compute preemption | Preemption at the instruction-level provides finer grain control over compute tasks to prevent long-running applications from either monopolizing system resources or timing out. |
+| H.264, H.265 and HEVC encode/decode engines | Enables faster than real-time performance for transcoding, video editing, and other encoding applications with two dedicated H.264 and HEVC encode engines and a dedicated decode engine that are independent of 3D/compute pipeline. |
+| NVIDIA GPU boost 4.0 | Maximizes application performance automatically without exceeding the power and thermal envelope of the GPU. Allows applications to stay within the boost clock state longer under higher temperature threshold before dropping to a secondary temperature setting base clock. |
+
+ **Table 2. Quadro RTX tech specs**
+
+| **Component** | **Description** |
+| ---------------------------------------------------------- | --------------- |
+| NVIDIA CUDA processing cores | 1,920 |
+| NVIDIA RT Cores | 30 |
+| Tensor Cores | 240 |
+| GPU memory | 6 GB |
+| Memory bandwidth | 288 Gbps |
+| Memory type | GDDR6 |
+| Memory interface | 192-bit |
+| TGP max power consumption | 65W |
+| Display port | 1.4 |
+| OpenGL | 4.6 |
+| Shader model | 5.1 |
+| DirectX | 12.1 |
+| PCIe generation | 3 |
+| Single precision floating point performance (TFLOPS, Peak) | 5.4 |
+| Tensor performance (TOPS, Peak) | 42.9 |
+| NVIDIA FXAA/TX AA antialiasing | Yes |
+| GPU direct for video | Yes |
+| Vulkan support | Yes |
+| NVIDIA 3D vision Pro | Yes |
+| NVIDIA Optimus | Yes |
+
+
+## App acceleration
+
+The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in market March 2020.
+
+**Table 3. App acceleration on Surface Book 3 with Quadro RTX 3000**
+
+| **App** | **Quadro RTX 3000 app acceleration capabilities**
|
+| ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Adobe Dimension | - RTX-accelerated ray tracing delivers photorealistic 3D rendering to 2D artists and designers. |
+| Adobe Substance Alchemist | - Create and blend materials with ease, featuring RTX-accelerated AI. |
+| Adobe Substance Painter | - Paint materials onto 3d models, featuring RTX accelerated bakers, and Iray RTX rendering which generates photorealistic imagery for interactive and batch rendering workflows.
|
+| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers
- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray powered compatible with MDL.
- DXR-accelerated light and ambient occlusion baking. |
+| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, & perspective warp enable photographers and designers to modify images smoothly and quickly. |
+| Adobe Lightroom | - Faster editing high res images with GPU-accelerated viewport, which enables the modeling of larger 3D scenes, and the rigging of more complex animations.
- GPU-accelerated image processing enables dramatically more responsive adjustments, especially on 4K or higher resolution displays.
- GPU-accelerated AI-powered “Enhance Details” for refining fine color detail of RAW images. |
+| Adobe Illustrator | - Pan and zoom with GPU-accelerated canvas faster, which enables graphic designers and illustrators to pan across and zoom in and out of complex vector graphics smoothly and interactively. |
+| Adobe
Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU:
- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.
- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. |
+| Autodesk
Revit | - GPU-accelerated viewport for a smoother, more interactive design experience.
- Supports 3rd party GPU-accelerated 3D renderers such as V-Ray and Enscape. |
+| Autodesk
3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.
- RTX-accelerated ray tracing and AI denoising ****with the default Arnold renderer.
- More than 70 percent faster compared with Surface Book 2 15”. |
+| Autodesk
Maya | - RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.
- OpenGL Viewport Acceleration. |
+| Dassault Systemes
Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.
- Runs more than 50% faster compared with Surface Book 2 15” |
+| Dassault Systemes
3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.
- Catia runs more than 100% faster compared with Surface Book 2 15. |
+| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”.. |
+| McNeel & Associates
Rhino 3D | - GPU-accelerated viewport for a smooth and interactive modelling and design experience.
- Supports Cycles for GPU-accelerated 3D rendering. |
+| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.
- Runs more than 10 x faster compared with Surface Book 2 15”.. |
+| Esri ArcGIS | - Real-time results from what took days & weeks, due to DL inferencing leveraging tensor cores. |
+| PTC Creo | - Creo's real-time engineering simulation tool (Creo Simulation Live) built on CUDA.
- Runs more than 15% faster compared with Surface Book 2 15”. |
+| Luxion KeyShot | - 3rd party Interactive Ray Tracer used by Solidworks, Creo, and Rhino. Accelerated by RT Cores, OptiX™ AI-accelerated denoising. |
+| ANSYS
Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA |
+## SKUs
+
+**Table 4. Surface Book 3 with Quadro RTX 3000 SKUs**
+
+| **Display** | **Processor** | **GPU** | **RAM** | **Storage** |
+| ----------- | --------------------------------- | ------------------------------------------------------------------------------------------------ | ---------- | ----------- |
+| 15-inch | Quad-core 10th Gen Core i7-1065G7 | Intel Iris™ Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB |
+| 15-inch | Quad-core 10th Gen Core i7-1065G7 | Intel Iris™ Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB |
+
+## Summary
+
+Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance on any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
+
+- RTX-acceleration across multiple workflows like design, animation, video production, and more.
+- Desktop-grade performance in a mobile form factor.
+- Enterprise-class features, reliability, and support for mission-critical projects.
+
+## Learn more
+
+- [Surface Book 3 GPU technical overview](surface-book-GPU-overview.md)
+- [Surface for Business](https://www.microsoft.com/surface/business)
+- [Microsoft Cognitive Toolkit (CNTK)](https://docs.microsoft.com/cognitive-toolkit/)
diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
index d57966b6cf..044b0e0437 100644
--- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
+++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
@@ -6,14 +6,13 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 10/21/2019
ms.reviewer: scottmca
-manager: dansimp
+manager: laurawi
---
# Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC)
diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md
index 62c4129d08..ae9ddc100b 100644
--- a/devices/surface/surface-diagnostic-toolkit-business.md
+++ b/devices/surface/surface-diagnostic-toolkit-business.md
@@ -5,13 +5,13 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.localizationpriority: medium
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: greglin
ms.topic: article
-ms.date: 10/31/2019
+ms.date: 05/11/2020
ms.reviewer: hachidan
-manager: dansimp
-ms.audience: itpro
+manager: laurawi
+audience: itpro
---
# Deploy Surface Diagnostic Toolkit for Business
@@ -41,6 +41,9 @@ Command line | Directly troubleshoot Surface devices remotely without user inter
SDT for Business is supported on Surface 3 and later devices, including:
+- Surface Book 3
+- Surface Go 2
+- Surface Pro X
- Surface Pro 7
- Surface Laptop 3
- Surface Pro 6
@@ -116,6 +119,7 @@ In addition to the .exe file, SDT installs a JSON file and an admin.dll file (mo
*Figure 2. Files installed by SDT*
+
## Preparing the SDT package for distribution
Creating a custom package allows you to target the tool to specific known issues.
@@ -170,6 +174,18 @@ You can select to run a wide range of logs across applications, drivers, hardwar
- [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
## Changes and updates
+
+### Version 2.94.139.0
+*Release date: May 11, 2020*
+This version of Surface Diagnostic Toolkit for Business adds support for the following:
+
+- Ability to skip Windows Update to perform hardware check.
+- Ability to receive notifications for about the latest version update
+- Surface Go 2
+- Surface Book 3
+- Show progress indicator
+
+
### Version 2.43.139.0
*Release date: October 21, 2019*
This version of Surface Diagnostic Toolkit for Business adds support for the following:
diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md
index 6ea9d9ac55..035eec60da 100644
--- a/devices/surface/surface-diagnostic-toolkit-command-line.md
+++ b/devices/surface/surface-diagnostic-toolkit-command-line.md
@@ -4,12 +4,11 @@ description: How to run Surface Diagnostic Toolkit in a command console
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 11/15/2018
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
index 738ec1ecae..795bff7f7f 100644
--- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
+++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
@@ -4,12 +4,11 @@ description: How to use SDT to help users in your organization run the tool to i
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 10/31/2019
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
index a64fb3cc4f..2b19282899 100644
--- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
+++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
@@ -4,11 +4,11 @@ description: This page provides an introduction to the Surface Diagnostic Toolki
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.reviewer: cottmca
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
@@ -29,7 +29,7 @@ Before you run the diagnostic tool, make sure you have the latest Windows update
**To run the Surface Diagnostic Toolkit for Business:**
-1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/SDT4B).
+1. Download the Surface Diagnostic Toolkit for Business. To do this, go to the [**Surface Tools for IT** download page](https://www.microsoft.com/download/details.aspx?id=46703), choose **Download**, select **Surface Diagnostic Toolkit for Business** from the provided list, and choose **Next**.
2. Select Run and follow the on-screen instructions. For full details, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).
The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required.
diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md
index e872ddc649..26264b1509 100644
--- a/devices/surface/surface-dock-firmware-update.md
+++ b/devices/surface/surface-dock-firmware-update.md
@@ -1,5 +1,5 @@
---
-title: Microsoft Surface Dock Firmware Update
+title: Microsoft Surface Dock Firmware Update - Technical information for IT administrators
description: This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device.
ms.localizationpriority: medium
ms.prod: w10
@@ -9,26 +9,34 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.reviewer: scottmca
-manager: dansimp
+manager: laurawi
ms.audience: itpro
-ms.date: 02/07/2020
---
-# Microsoft Surface Dock Firmware Update
-
-This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device.
-
-Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number). The earlier tool is no longer available for download and should not be used.
+# Microsoft Surface Dock Firmware Update: Technical information for IT administrators
> [!IMPORTANT]
->Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version.
+> This article contains technical instructions for IT administrators. If you are a home user, please see [How to update your Surface Dock Firmware](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) on the Microsoft Support site. The instructions at the support site are the same as the general installation steps below, but this article has additional information for monitoring, verifying, and deploying the update to multiple devices on a network.
+
+This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device.
+
+This tool supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. The earlier tool was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number) and is no longer available for download and should not be used.
+
+## Install the Surface Dock Firmware Update
+
+This section describes how to manually install the firmware update.
+
+> [!NOTE]
+> Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version.
+
+1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703).
+ - The update requires a Surface device running Windows 10, version 1803 or later.
+ - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update.
+
+2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted.
## Monitor the Surface Dock Firmware Update
-This section is optional and provides an overview of how to monitor installation of the firmware update. When you are ready to install the update, see [Install the Surface Dock Firmware Update](#install-the-surface-dock-firmware-update) below. For more detailed information about monitoring the update process, see the following sections in this article:
- - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update)
- - [Event logging](#event-logging)
- - [Troubleshooting tips](#troubleshooting-tips)
- - [Versions reference](#versions-reference)
+This section is optional and provides an overview of how to monitor installation of the firmware update.
To monitor the update:
@@ -40,7 +48,6 @@ To monitor the update:
Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters"
```
3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article.
-
4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**.
- If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current.
5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example:
@@ -50,15 +57,11 @@ To monitor the update:
>[!TIP]
>If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored.
-## Install the Surface Dock Firmware Update
-
-This section describes how to install the firmware update.
-
-1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703).
- - The update requires a Surface device running Windows 10, version 1803 or later.
- - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update.
-
-2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted.
+Also see the following sections in this article:
+ - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update)
+ - [Event logging](#event-logging)
+ - [Troubleshooting tips](#troubleshooting-tips)
+ - [Versions reference](#versions-reference)
## Network deployment
diff --git a/devices/surface/surface-dock-whats-new.md b/devices/surface/surface-dock-whats-new.md
new file mode 100644
index 0000000000..253a73b069
--- /dev/null
+++ b/devices/surface/surface-dock-whats-new.md
@@ -0,0 +1,124 @@
+---
+title: What’s new in Surface Dock 2
+description: This article highlights new features and functionality for the next generation Surface Dock.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.localizationpriority: medium
+ms.sitesec: library
+author: coveminer
+ms.author: greglin
+ms.topic: article
+ms.date: 5/06/2020
+ms.reviewer: brrecord
+manager: laurawi
+audience: itpro
+---
+# What’s new in Surface Dock 2
+
+Surface Dock 2, the next generation Surface dock, lets users connect external monitors and multiple peripherals to obtain a fully modernized desktop experience from a Surface device. Built to maximize efficiency at the office, in a flexible workspace, or at home, Surface Dock 2 features seven ports, including two front-facing USB-C ports, with 15 watts of fast charging power for phone and accessories. Surface Dock 2 is designed to simplify IT management, enabling admins to automate firmware updates using Windows Update or centralize updates with internal software distribution tools. An extended set of management tools will be released via Windows update upon commercial distribution.
+
+## General system requirements
+
+- Windows 10 version 1809. There is no support for Windows 7, Windows 8, or non-Surface host devices. Surface Dock 2 works with the following Surface devices:
+
+ - Surface Pro (5th Gen)
+ - Surface Pro (5th Gen) with LTE Advanced
+ - Surface Laptop (1st Gen)
+ - Surface Pro 6
+ - Surface Book 2
+ - Surface Laptop 2
+ - Surface Go
+ - Surface Go with LTE Advanced
+ - Surface Studio 2
+ - Surface Pro 7
+ - Surface Laptop 3
+ - Surface Book 3
+ - Surface Go 2
+ - Surface Go 2 with LTE Advanced
+
+
+## Surface Dock 2 Components
+
+
+
+### USB
+
+- Two front facing USB-C ports.
+- Two rear facing USB-C (gen 2) ports.
+- Two rear facing USB-A ports.
+
+### Video
+
+- Dual 4K@60hz. Supports up to two displays on the following devices:
+
+ - Surface Book 3
+ - Surface Go 2
+ - Surface Go 2 with LTE Advanced
+ - Surface Pro 7
+ - Surface Pro X
+ - Surface Laptop 3
+
+- Dual 4K@ 4K@30Hz. Supports up to two displays on the following devices:
+
+ - Surface Pro 6
+ - Surface Pro (5th Gen)
+ - Surface Pro (5th Gen) with LTE Advanced
+ - Surface Laptop 2
+ - Surface Laptop (1st Gen)
+ - Surface Go
+ - Surface Book 2.
+
+### Ethernet
+
+- 1 gigabit Ethernet port.
+
+### External Power supply
+
+- 199 watts supporting 100V-240V.
+
+
+## Comparing Surface Dock 2
+
+### Table 1. Surface Dock 2 tech specs comparison
+
+|Component|Surface Dock|Surface Dock 2|
+|---|---|---|
+|Surflink|Yes|Yes|
+|USB-A|2 front facing USB 3.1 Gen 1
2 rear facing USB 3.1 Gen 1|2 rear facing USB 3.2 Gen 2 (7.5W power)|
+|Mini Display port|2 rear facing (DP1.2)|None|
+|USB-C|None|2 front facing USB 3.2 Gen 2
[15W power]
2 rear facing USB 3.2 Gen 2 (DP1.4a)
[7.5W power]|
+|3.5 mm Audio in/out|Yes|Yes|
+|Ethernet|Yes, 1 gigabit|Yes 1 gigabit|
+|DC power in|Yes|Yes|
+|Kensington lock|Yes|Yes|
+|Surflink cable length|65cm|80cm|
+|Surflink host power|60W|120W|
+|USB load power|30W|60W|
+|USB bit rate|5 Gbps|10 Gbps|
+|Monitor support|2 x 4k @30fps, or
1 x 4k @ 60fps|2 x 4K @ 60fps|
+|Wake-on-LAN from Connected Standby1|Yes|Yes|
+|Wake-on-LAN from S4/S5 sleep modes|No|Yes|
+|Network PXE boot|Yes|Yes|
+|SEMM host access control|No|Coming in Windows Update2|
+|SEMM port access control3|No|Coming in Windows Update|
+|Servicing support|MSI|Windows Update or MSI|
+||||
+
+1. *Devices must be configured for Wake on LAN via Surface Enterprise Management Mode (SEMM) or Device Firmware Control Interface (DFCI) to wake from Hibernation or Power-Off states. Wake from Hibernation or Power-Off is supported on Surface Pro 7, Surface Laptop 3, Surface Pro X, Surface Book 3, and Surface Go 2. Software license required for some features. Sold separately.*
+
+2. *Pending release via Windows Update.*
+
+3. *Software license required for some features. Sold separately.*
+
+## Streamlined device management
+
+Following the public announcement of Surface Dock 2, Surface will release streamlined management functionality via Windows Update enabling IT admins to utilize the following enterprise-grade features:
+
+- **Frictionless updates**. Update your docks silently and automatically, with Windows Update or Microsoft Endpoint Configuration Manager, (formerly System Center Configuration Manager - SCCM) or other MSI deployment tools.
+- **Wake from the network**. Manage and access corporate devices without depending on users to keep their devices powered on. Even when a docked device is in sleep, hibernation, or power off mode, your team can wake from the network for service and management, using Endpoint Configuration Manager or other enterprise management tools.
+- **Centralized IT control**. Control who can connect to Surface Dock 2 by turning ports on and off. Restrict which host devices can be used with Surface Dock 2. Limit dock access to a single user or configure docks so they can only be accessed by specific users in your team or across the entire company.
+
+## Next steps
+
+- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
+- [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index 52e193b6dd..4599e50712 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -6,14 +6,14 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: greglin
ms.topic: article
-ms.date: 12/02/2019
ms.reviewer: scottmca
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
-ms.audience: itpro
+audience: itpro
+ms.date: 05/11/2020
---
# Microsoft Surface Enterprise Management Mode
@@ -96,7 +96,7 @@ The following list shows all the available devices you can manage in SEMM:
|Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled |
| Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. |
| Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. |
-| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. |
+| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the Boot page is displayed. |
| DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. |
@@ -228,6 +228,11 @@ create a reset package using PowerShell to reset SEMM.
## Version History
+The latest version of SEMM released May 11, 2020 includes:
+- Support for Surface Go 2
+- Support for Surface Book 3
+- Bug fixes
+
### Version 2.59.
* Support to Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported.
- Support to Wake on Power feature
diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md
index efb5fa93b5..f21805f1a7 100644
--- a/devices/surface/surface-manage-dfci-guide.md
+++ b/devices/surface/surface-manage-dfci-guide.md
@@ -5,12 +5,12 @@ ms.localizationpriority: medium
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.date: 11/13/2019
ms.reviewer: jesko
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
# Intune management of Surface UEFI settings
diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md
index fd98f72368..488eeca1a2 100644
--- a/devices/surface/surface-pro-arm-app-management.md
+++ b/devices/surface/surface-pro-arm-app-management.md
@@ -5,12 +5,12 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.localizationpriority: high
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 1/22/2020
+ms.date: 4/15/2020
ms.reviewer: jessko
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
# Deploying, managing, and servicing Surface Pro X
@@ -44,7 +44,7 @@ Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager
A component of Microsoft Enterprise Mobility + Security, Intune integrates with Azure Active Directory for identity and access control and provides granular management of enrolled Surface Pro X devices. Intune mobile device management (MDM) policies have a number of advantages over older on-premises tools such as Windows Group Policy. This includes faster device login times and a more streamlined catalog of policies enabling full device management from the cloud. For example, you can manage LTE using eSIM profiles to configure data plans and deploy activation codes to multiple devices.
-For more information about setting up Intune, refer to the [Intune documentation](https://docs.microsoft.com/intune/).
+For more information about using Intune, refer to the [Intune documentation](https://docs.microsoft.com/intune/).
### Co-management
@@ -109,9 +109,9 @@ Popular browsers run on Surface Pro X:
## Installing and using Microsoft Office
- Use Office 365 for the best experience on a Windows 10 PC on an ARM-based processor.
-- Office 365 “click-to-run” installs Outlook, Word, Excel, and PowerPoint, optimized to run on a Windows 10 PC on an ARM-based processor.
+- Office 365 "click-to-run" installs Outlook, Word, Excel, and PowerPoint, optimized to run on a Windows 10 PC on an ARM-based processor.
- Microsoft Teams runs great on Surface Pro X.
-- For “perpetual versions” of Office such as Office 2019, install the 32-bit version.
+- For "perpetual versions" of Office such as Office 2019, install the 32-bit version.
## VPN
@@ -139,10 +139,10 @@ The following tables show the availability of selected key features on Surface P
| Endpoint Configuration Manager | Yes | Yes | |
| Power on When AC Restore | Yes | Yes | |
| Surface Diagnostic Toolkit (SDT) for Business | Yes | Yes | |
-| Surface Dock Firmware Update | Yes | Yes | |
+| Surface Dock Firmware Update | Yes | No | |
| Asset Tag Utility | Yes | Yes | |
| Surface Enterprise management Mode (SEMM) | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. |
-| Surface UEFI Configurator | Yes | | No option to disable hardware. on Surface Pro X at the firmware level. |
+| Surface UEFI Configurator | Yes | No | No option to disable hardware. on Surface Pro X at the firmware level. |
| Surface UEFI Manager | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. |
diff --git a/devices/surface/surface-pro-arm-app-performance.md b/devices/surface/surface-pro-arm-app-performance.md
index baa547d04b..4459d6052b 100644
--- a/devices/surface/surface-pro-arm-app-performance.md
+++ b/devices/surface/surface-pro-arm-app-performance.md
@@ -5,12 +5,12 @@ ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.date: 10/03/2019
ms.reviewer: jessko
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
# Surface Pro X app compatibility
diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md
index f74ee76e83..c0de20193f 100644
--- a/devices/surface/surface-system-sku-reference.md
+++ b/devices/surface/surface-system-sku-reference.md
@@ -6,12 +6,12 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.date: 03/09/2020
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
@@ -39,6 +39,7 @@ System Model and System SKU are variables that are stored in the System Manageme
| Surface Go Commercial | Surface Go | Surface_Go_1824_Commercial |
| Surface Pro 6 Consumer | Surface Pro 6 | Surface_Pro_6_1796_Consumer |
| Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial |
+| Surface Laptop | Surface Laptop | Surface_Laptop |
| Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer |
| Surface Laptop 2 Commercial | Surface Laptop 2 | Surface_Laptop_2_1769_Commercial |
| Surface Pro 7 | Surface Pro 7 | Surface_Pro_7_1866 |
diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md
index 6e225137c2..24a358065b 100644
--- a/devices/surface/surface-wireless-connect.md
+++ b/devices/surface/surface-wireless-connect.md
@@ -4,14 +4,13 @@ description: This topic describes recommended Wi-Fi settings to ensure Surface d
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
+author: coveminer
ms.audience: itpro
ms.localizationpriority: medium
-ms.author: dansimp
+ms.author: v-jokai
ms.topic: article
-ms.date: 10/31/2019
ms.reviewer: tokatz
-manager: dansimp
+manager: laurawi
---
# Optimize Wi-Fi connectivity for Surface devices
diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md
index 39b70f6006..0caea932ab 100644
--- a/devices/surface/unenroll-surface-devices-from-semm.md
+++ b/devices/surface/unenroll-surface-devices-from-semm.md
@@ -6,12 +6,11 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 01/06/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index ac6102c2ef..c9345502d8 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -6,14 +6,14 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 10/21/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
+ms.date: 04/24/2020
---
# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
@@ -38,216 +38,7 @@ manager: dansimp
- Surface Pro
- Windows 10
-In addition to the traditional deployment method of reimaging devices, administrators that want to upgrade Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or configuration. The users of the deployed devices can simply continue using the devices with the same apps and settings that they used prior to the upgrade. The process described in this article shows how to perform a Windows 10 upgrade deployment to Surface devices.
+In addition to the traditional deployment method of reimaging devices, administrators who want to upgrade Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or configuration. The users of the deployed devices can simply continue using the devices with the same apps and settings that they used prior to the upgrade.
-If you are not already familiar with the deployment of Windows or the Microsoft deployment tools and technologies, you should read [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) and familiarize yourself with the traditional deployment method before you proceed.
+For the latest information about upgrading surface devices using MDT, refer to [Perform an in-place upgrade to Windows 10 with MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit).
-#### The upgrade concept
-
-When you use the factory installation media to install Windows on a device, you are presented with two options or *installation paths* to install Windows on that device. The first of these installation paths – *clean installation* – allows you to apply a factory image of Windows to that device, including all default settings. The second of these installation paths – *upgrade* – allows you to apply Windows to the device but retains the device’s users, apps, and settings.
-
-When you perform a Windows deployment using traditional deployment methods, you follow an installation path that is very similar to a clean installation. The primary difference between the clean installation and the traditional deployment method of *reimaging* is that with reimaging, you can apply an image that includes customizations. Microsoft deployment technologies, such as the Microsoft Deployment Toolkit (MDT), expand the capabilities of the reimaging process by modifying the image during deployment. For example, MDT is able to inject drivers for a specific hardware configuration during deployment, and with pre and post imaging scripts to perform a number of tasks, such as the installation of applications.
-
-For versions of Windows prior to Windows 10, if you wanted to install a new version of Windows on your devices and preserve the configuration of those systems, you had to perform additional steps during your deployment. For example, if you wanted to keep the data of users on the device, you had to back up user data with the User State Migration Tool (USMT) prior to the deployment and restore that data after the deployment had completed.
-
-Introduced with Windows 10 and MDT 2013 Update 1, you can use the upgrade installation path directly with Microsoft deployment technologies such as the Microsoft Deployment Toolkit (MDT). With an upgrade deployment you can use the same deployment technologies and process, but you can preserve users settings, and applications of the existing environment on the device.
-
-> [!NOTE]
-> MDT is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
-
-## Deployment tools and resources
-
-Performing an upgrade deployment of Windows 10 requires the same tools and resources that are required for a traditional reimaging deployment. You can read about the tools required, including detailed explanations and installation instructions, in [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md). To proceed with the upgrade deployment described in this article, you will need the following tools installed and configured:
-
-* [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741)
-* [Windows Assessment and Deployment Kit (Windows ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#windowsadk), which includes:
- * Deployment Image Servicing and Management (DISM)
- * Windows Preinstallation Environment (Windows PE)
- * Windows System Image Manager (Windows SIM)
-
-You will also need to have available the following resources:
-
-* Windows 10 installation files, such as the installation media downloaded from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
-
- >[!NOTE]
- >Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
-* [Surface firmware and drivers](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10
-
-* Application installation files for any applications you want to install, such as the Surface app
-
-## Prepare the upgrade deployment
-
-Before you begin the process described in this section, you need to have installed and configured the deployment tools outlined in the previous [Deployment tools and resources](#deployment-tools-and-resources) section. For instructions on how to install and configure the deployment tools, see the **Install the deployment tools** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#install-the-deployment-tools) article. You will also have needed to create a deployment share with MDT, described in the section Create a Deployment Share in the aforementioned article.
-
-### Import Windows 10 installation files
-
-Windows 10 installation files only need to be imported if you have not already done so in the deployment share. To import Windows 10 installation files, follow the steps described in the **Import Windows installation files** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#import-windows-installation-files) article.
-
-### Import Surface drivers
-In the import process example shown in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, drivers for Surface Pro 4 were imported for Windows 10. To perform an upgrade deployment of Windows 10 to Surface Pro 3, drivers for Surface Pro 3 must also be imported. To import the Surface drivers for Surface Pro 3, follow these steps:
-
-1. Download the Surface Pro 3 firmware and driver pack for Windows 10 archive file (.zip), SurfacePro3_Win10_xxxxxx.zip, from the [Surface Pro 3 download page](https://www.microsoft.com/download/details.aspx?id=38826) in the Microsoft Download Center.
-2. Extract the contents of the Surface Pro 3 firmware and driver pack archive file to a temporary folder. Keep the driver files separate from other drivers or files.
-3. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share.
-4. If you have not already created a folder structure by operating system version, you should do so next. Under the **Windows 10 x64** folder, create a new folder for Surface Pro 3 drivers named **Surface Pro 3**. Your Out-of-Box Drivers folder should resemble the following structure:
- * WinPE x86
- * WinPE x64
- * Windows 10 x64
- * Microsoft Corporation
- * Surface Pro 4
- * Surface Pro 3
-5. Right-click the **Surface Pro 3** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1.
-
- 
-
- *Figure 1. Import Surface Pro 3 drivers for Windows 10*
-
-6. The Import Driver Wizard displays a series of steps, as follows:
- - **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 3 firmware and drivers in Step 1.
- - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
- - **Progress** – While the drivers are imported, a progress bar is displayed on this page.
- - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Drivers Wizard.
-7. Select the **Surface Pro 3** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 2.
-
- 
-
- *Figure 2. Drivers for Surface Pro 3 imported and organized in the MDT deployment share*
-
-### Import applications
-
-Installation of applications in an upgrade deployment is not always necessary because the applications from the previous environment will remain on the device. (For example, in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, the deployment includes Office 365 which is not required in an upgrade deployment where the user is already using Office 365 on the device.)
-
-There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence.
-
-### Create the upgrade task sequence
-
-After you have all of the resources in place to perform the deployment (including the installation files, Surface drivers, and application files), the next step is to create the upgrade task sequence. This task sequence is a series of steps that will be performed on the device being upgraded that applies the new Windows environment, compatible drivers, and any applications you have specified.
-
-Create the upgrade task sequence with the following process:
-
-1. In the Deployment Workbench under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
-2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
- - **General Settings** – Enter an identifier for the deployment task sequence in the Task Sequence ID field, a name for the deployment task sequence in the Task Sequence Name field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, and then click **Next**.
- >[!NOTE]
- >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
- - **Select Template** – Select **Standard Client Upgrade Task Sequence** from the drop-down menu, and then click **Next**.
- - **Select OS** – Navigate to and select the Windows image that you imported, and then click **Next**.
- - **Specify Product Key** – Select the product key entry that fits your organization’s licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
- - **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
- - **Admin Password** – Select **Use the Specified Local Administrator Password** and enter a password in the provided fields, and then click **Next**.
- - **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
- - **Progress** – While the task sequence is being created, a progress bar is displayed on this page.
- - **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete New Task Sequence Wizard.
-
-After the task sequence is created, you can modify some additional settings to provide additional automation of the task sequence and require less interaction during deployment. Follow these steps to modify the task sequence:
-
-1. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
-2. Select the **Task Sequence** tab to view the steps that are included in the new task sequence.
-3. Select the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder.
-4. Click the **Options** tab, and then clear the **Disable This Step** check box.
-5. Repeat Step 3 and Step 4 for the **Windows Update (Post-Application Installation)** step.
-6. Between the two Windows Update steps is an **Install Applications** step. Select that step and then click **Add**.
-7. Hover the mouse over **General** under the **Add** menu, and then choose **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3.
-
- 
-
- *Figure 3. A new Install Application step in the deployment task sequence*
-
-8. On the **Properties** tab of the new **Install Application** step, enter **Install Surface App** in the **Name** field.
-9. Select **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
-10. Select **Surface App** from the list of applications, and then click **OK**.
-11. Expand the **Preinstall** folder and select the **Enable BitLocker (Offline)** step.
-12. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu.
-13. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 4) configure the following options:
-
- - **Name** – Set DriverGroup001
- - **Task Sequence Variable** – DriverGroup001
- - **Value** – Windows 10 x64\%Make%\%Model%
-
- 
-
- *Figure 4. Configure a new Set Task Sequence Variable step in the deployment task sequence*
-
-14. Select the **Inject Drivers** step, the next step in the task sequence.
-15. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 5) configure the following options:
- * In the **Choose a selection profile** drop-down menu, select **Nothing**.
- * Click the **Install all drivers from the selection profile** button.
-
- 
-
- *Figure 5. Configure the deployment task sequence to not install drivers*
-
-16. Click **OK** to apply changes to the task sequence and close the task sequence properties window.
-
-Steps 11 through 15 are very important to the deployment of Surface devices. These steps instruct the task sequence to install only drivers that are organized into the correct folder using the organization for drivers from the [Import Surface drivers](#import-surface-drivers) section.
-
-### Deployment share rules
-
-To automate the upgrade process, the rules of the MDT deployment share need to be modified to suppress prompts for information from the user. Unlike a traditional deployment, Bootstrap.ini does not need to be modified because the deployment process is not started from boot media. Similarly, boot media does not need to be imported into WDS because it will not be booted over the network with PXE.
-
-To modify the deployment share rules and suppress the Windows Deployment Wizard prompts for information, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties:
-
-```
-[Settings]
-Priority=Model,Default
-Properties=MyCustomProperty
-
-[Surface Pro 4]
-SkipTaskSequence=YES
-TaskSequenceID=Win10SP4
-
-[Surface Pro 3]
-SkipTaskSequence=YES
-TaskSequenceID=Win10SP3Up
-
-[Default]
-OSInstall=Y
-SkipCapture=YES
-SkipAdminPassword=YES
-SkipProductKey=YES
-SkipComputerBackup=YES
-SkipBitLocker=YES
-SkipBDDWelcome=YES
-SkipUserData=YES
-UserDataLocation=AUTO
-SkipApplications=YES
-SkipPackageDisplay=YES
-SkipComputerName=YES
-SkipDomainMembership=YES
-JoinDomain=contoso.com
-DomainAdmin=MDT
-DomainAdminDomain=contoso
-DomainAdminPassword=P@ssw0rd
-SkipLocaleSelection=YES
-KeyboardLocale=en-US
-UserLocale=en-US
-UILanguage=en-US
-SkipTimeZone=YES
-TimeZoneName=Pacific Standard Time
-UserID=MDTUser
-UserDomain=STNDeployServer
-UserPassword=P@ssw0rd
-SkipSummary=YES
-SkipFinalSummary=YES
-FinishAction=LOGOFF
-```
-
-
-
-For more information about the rules configured by this text, see the **Configure deployment share rules** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#configure-deployment-share-rules) article.
-
-### Update deployment share
-
-To update the deployment share, right-click the deployment share in the Deployment Workbench and click **Update Deployment Share**, then proceed through the Update Deployment Share Wizard. See the **Update and import updated MDT boot media** section of the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#update-and-import-updated-mdt-boot-media) article for detailed steps.
-
-### Run the upgrade deployment
-
-Unlike a traditional deployment, the upgrade task sequence must be launched from within the Windows environment that will be upgraded. This requires that a user on the device to be upgraded navigate to the deployment share over the network and launch a script, LiteTouch.vbs. This script is the same script that displays the Windows Deployment Wizard in Windows PE in a traditional deployment. In this scenario, Litetouch.vbs will run within Windows. To perform the upgrade task sequence and deploy the upgrade to Windows 10 follow these steps:
-
-1. Browse to the network location of your deployment share in File Explorer.
-2. Navigate to the **Scripts** folder, locate **LiteTouch.vbs**, and then double-click **LiteTouch.vbs** to start the Windows Deployment Wizard.
-3. Enter your credentials when prompted.
-4. The upgrade task sequence for Surface Pro 3 devices will automatically start when the model of the device is detected and determined to match the deployment share rules.
-5. The upgrade process will occur automatically and without user interaction.
-
-The task sequence will automatically install the drivers for Surface Pro 3 and the Surface app, and will perform any outstanding Windows Updates. When it completes, it will log out and be ready for the user to log on with the credentials they have always used for this device.
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index 1ac8eb8aa2..21616dc89e 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -6,12 +6,11 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: coveminer
+ms.author: v-jokai
ms.topic: article
-ms.date: 11/22/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
@@ -383,56 +382,11 @@ To configure Surface UEFI settings or permissions for Surface UEFI settings, you
The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device.
-The following tables show the available settings for Surface Pro 4 and later including Surface Pro 7, Surface Book, Surface Laptop 3, and Surface Go.
+The best way to view the most current Setting names and IDs for devices is to use the ConfigureSEMM.ps1 script or the ConfigureSEMM -
- Healthcare
- Government | - Merger & acquisition
- Short term employees
- Contractors & partners | - BYOD & mobile
- Customer support/service
- Branch workers | - Design & engineering
- Support for legacy apps
- Software dev & test | - On demand
- Just-in-Time (JIT)
- Work @ Home |
+
+### Offline and on-device access for more productive experiences
+
+Traditionally, VDI solutions only work when the endpoint is connected to the internet. But what happens when the internet or power is unavailable for any reason (due to mobility, being on a plane, or power outages, and so on)?
+
+To support business continuity and keep employees productive, Surface devices can easily augment the virtual desktop experience with offline access to files, Microsoft 365 and third-party applications. Traditional apps like Microsoft Office, available across .x86, x64, Universal Windows Platform, ARM platforms, enable users to stay productive in “offline mode”. Files from the virtual desktop cloud environment can be synced locally on Surface using OneDrive for Business for offline access as well. You can have the confidence that all locally “cached” information is up-to-date and secure.
+
+In addition to adding support for offline access to apps and files, Surface devices are designed to optimize collaborative experiences like Microsoft Teams “On-Device”. Although some VDI solutions support the use of Teams through a virtual session, users can benefit from the more optimized experience provided by a locally installed instance of Teams. Localizing communications and collaboration apps for multimedia channels like voice, video, live captioning allows organizations to take full advantage of Surface devices’ ability to provide optimized Microsoft 365 experiences. The emergence of Surface artificial intelligence (AI) or “AI-on-device” brings new capabilities to life, such as eye gaze technology that adjusts the appearance of your eyes so the audience sees you looking directly at the camera when communicating via video.
+
+An alternative to locally installing traditional applications is to take advantage of the latest version of Microsoft Edge, which comes with support for Progressive Web Apps (PWA). PWAs are just websites that are progressively enhanced to function like native apps on supporting platforms. The qualities of a PWA combine the best of the web and native apps by additional features, such as push notifications, background data refresh, offline support, and more.
+
+### Virtual GPUs
+
+GPUs are ideal for AI compute and graphics-intensive workloads, helping customers to fuel innovation through scenarios like high-end remote visualization, deep learning, and predictive analytics. However, this isn’t ideal for professionals who need to work remotely or while on the go because varying degrees of internal GPU horsepower are tied to the physical devices, limiting mobility and flexibility.
+
+To solve for this Azure offers the N-series family of Virtual Machines with NVIDIA GPU capabilities (vGPU). With vGPUs, IT can either share GPU performance across multiple virtual machines, or power demanding workloads by assigning multiple GPUs to a single virtual machine. For Surface this means that no matter what device you’re using, from the highly portable Surface Go 2 to the slim and stylish Surface Laptop 3, your device has access to powerful server-class graphics performance. Surface and vGPUs allow you to combine all the things you love about Surface, to include pen, touch, keyboard, trackpad and PixelSense displays, with graphics capability only available in high performance computing environments.
+
+Azure N-series brings these capabilities to life on your Surface device allowing you to work in any way you want, wherever you go. [Learn more about Azure N-Series and GPU optimized virtual machine sizes.](https://docs.microsoft.com/azure/virtual-machines/sizes-gpu)
+
+## Microsoft 365 and Surface
+
+Even in a virtualized desktop environment, Microsoft 365 and Surface deliver the experiences employees love, the protection organizations demand, and flexibility for teams to work their way. According to Forrester Research: 4
+
+- Microsoft 365-powered Surface devices give users up to 5 hours in weekly productivity gains with up to 9 hours saved per week for highly mobile workers, providing organizations with 112 percent ROI on Microsoft 365 with Surface
+- 75 percent agree Microsoft 365-powered Surface devices help improve employee satisfaction and retention
+- agree that Microsoft 365- powered Surface devices have helped improve employee satisfaction and retention.
+
+### Security and management
+
+From chip to cloud, Microsoft 365 and Surface helps organizations stay protected and up to date.
+With both Surface hardware and software designed, built, and tested by Microsoft, users can be confident they’re productive and protected by leading technologies from chip to cloud. With increased numbers of users working remotely, protecting corporate data and intellectual property becomes more paramount than ever. Windows Virtual Desktop on Surface is designed around a zero-trust security model in which every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access.
+
+By maximizing efficiencies from cloud computing, modern management enables IT to better serve the needs of users, stakeholders and customers in an increasingly competitive business environment. For example, you can get Surface devices up-and-running with minimal interaction from your team. Setup is automatic and self-serviced. Updates are quick and painless for both your team and your users. You can manage devices regardless of their physical location.
+
+Security and management features delivered with Windows Virtual Desktop on Surface include:
+
+- **Windows Update.** Keeping Windows up to date helps you stay ahead of new security threats. Windows 10 has been engineered from the ground up to be more secure and utilize the latest hardware capabilities to improve security. With a purpose-built UEFI 5 and Windows Update for Business that responds to evolving threats, end-to-end protection is secure and simplified.
+
+- **Hardware encryption.** Device encryption lets you protect the data on your Surface so it can only be accessed by authorized individuals. All Surface for Business devices feature a discrete Trusted Platform Module (dTPM) that is hardware-protected against intrusion while software uses protected keys and measurements to verify software validity.
+- **Windows Defender.** Windows Defender Antivirus brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices. The tool is built in and needs no extra agents to be deployed on-devices or in the VDI environment, simplifying management and optimizing device start up. Windows Defender is built in and needs no extra agents to be deployed on-device or in the VDI environment, simplifying management and optimizing device start up. The true out-of-the-box experience.
+- **Removable drives** - A subset of newer Surface devices feature removable SSD drives 6 providing greater control over data retention.
+- **Modern authentication -** Microsoft 365 and Surface is a unified platform delivering every Windows security feature (subject to licensing and enablement). All Surface portfolio devices ship with a custom-built camera, designed for Windows Hello for Business providing biometric security that persists seamlessly from on-device to VDI-based experiences.
+- **Modern firmware management** -Using Device Firmware Configuration Interface (DFCI),7 IT administrators can remotely disable hardware elements at a firmware level such as mics, USB ports, SD card slots, cameras, and Bluetooth which removes power to the peripheral. Windows Defender Credential Guard uses virtualization-based security so that only privileged system software can access them.
+- **Backward and forward compatibility** - Windows 10 devices provide backward and forward compatibility across hardware, software and services. Microsoft has a strong history of maintaining legacy support of hardware, peripherals, software and services while incorporating the latest technologies. Businesses can plan IT investments to have a long useful life.
+- **Bridge for legacy Windows 7 workloads** - For solution scenarios dependent on legacy Windows OS environments, enterprises can use VDI instances of Windows 7 running in Azure. This enables support on modern devices like Surface without the risk of relying on older Windows 7 machines that no longer receive the latest security updates. In addition to these “future proofing” benefits, migration of any legacy workloads becomes greatly simplified when modern Windows 10 hardware is already deployed.
+- **Zero-Touch Deployment** - Autopilot is the recommended modern management deployment option for Surface devices. Windows Autopilot on Surface is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot on Surface to remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a hardware hash. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management.
+
+### Surface devices: Minimizing environmental impacts
+
+Surface performs life cycle assessments to calculate the environmental impact of devices across key stages of product life cycle enabling Microsoft to minimize these impacts. Each Surface product has an ECO profile that includes details on greenhouse gas emissions, primary energy consumption and material composition data, packaging, recycling, and related criteria. To download profiles for each Surface device, see [ECO Profiles](https://www.microsoft.com/download/details.aspx?id=55974) on the Microsoft Download Center.
+
+## Summary
+
+Windows Virtual Desktop on Surface provides organizations with greater flexibility and resilience in meeting the diverse needs of users, stakeholders, and customers. Running Windows Virtual Desktop solutions on Surface devices provides unique advantages over continued reliance on legacy devices. Flexible form factors like Surface Go 2 and Surface Pro 7 connected to the cloud (or offline), enable users to be productive from anywhere, at any time. Whether employees work in persistent, on-demand, or just-in-time scenarios, Windows Virtual Desktop on Surface affords businesses with the versatility to sustain productivity throughout disruptions from public health emergencies or other unforeseen events. Using the built in, multi-layered security and modern manageability of Windows 10, companies can take advantage of an expanding ecosystem of cloud-based services to rapidly deploy and scale Windows desktops and apps. Simply put, Windows Virtual Desktop on Surface delivers critically needed technology to organizations and businesses of all sizes.
+
+## Learn more
+
+For more information, see the following resources:
+
+- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)
+- [Surface for Business](https://www.microsoft.com/surface/business)
+- [Modernize your workforce with Microsoft Surface](https://boards.microsoft.com/public/prism/103849?token=754435c36d)
+- [A guide to Surface Technical Content and Solutions](https://boards.microsoft.com/public/prism/104362/category/90968?token=09e688ec4a)
+- [Microsoft zero-trust security](https://www.microsoft.com/security/business/zero-trust)
+
+
+----------
+
+1. Windows Virtual Desktop on Surface refers to running Azure Virtual Desktop Infrastructure on a Surface device and is described here as an architectural solution, not a separately available product.
+2. Battery life varies significantly with settings, usage and other factors.
+3. Service availability and performance subject to service provider’s network. Contact your service provider for details, compatibility, pricing, SIM card, and activation. See all specs and frequencies at surface.com.
+4. Forrester Consulting, “A Forrester Total Economic Impact™ Study: Maximizing Your ROI from Microsoft 365 Enterprise with Microsoft Surface,” commissioned by Microsoft, 2018.
+5. Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI. DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. Find out more about managing Surface UEFI settings.
+6. Removable SSD is available on Surface Laptop 3 and Surface Pro X. Note that hard drive is not user removable. Hard drive is only removable a by skilled technician following Microsoft instructions.
+7. DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. [Find out more](https://docs.microsoft.com/surface/manage-surface-uefi-settings) about managing Surface UEFI settings.
+
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index e74ce568f1..8ba6fec5bb 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -64,7 +64,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
**To trigger Autopilot Reset**
-1. From the Windows device lock screen, enter the keystroke: **CTRL +  + R**.
+1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**.
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 688b66c92b..71f603bec9 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 08/31/2017
+ms.date:
ms.reviewer:
manager: dansimp
---
@@ -32,7 +32,7 @@ In Windows 10, version 1703 (Creators Update), it is straightforward to configur
| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set |
| **Cortana** | **AllowCortana** | Disables Cortana * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set |
-| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
+| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set |
@@ -150,34 +150,10 @@ For example:
## Ad-free search with Bing
-Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at https://www.bing.com/classroom/about-us.
-
-> [!NOTE]
-> If you enable the guest account in shared PC mode, students using the guest account will not have an ad-free experience searching with Bing in Microsoft Edge unless the PC is connected to your school network and your school network has been configured as described in [IP registration for entire school network using Microsoft Edge](#ip-registration-for-entire-school-network-using-microsoft-edge).
+Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States.
### Configurations
-#### IP registration for entire school network using Microsoft Edge
-Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bingintheclassroom@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email.
-
-**District information**
-- **District or School Name:**
-- **Outbound IP Addresses (IP Range + CIDR):**
-- **Address:**
-- **City:**
-- **State Abbreviation:**
-- **Zip Code:**
-
-**Registrant information**
-- **First Name:**
-- **Last Name:**
-- **Job Title:**
-- **Email Address:**
-- **Opt-In for Email Announcements?:**
-- **Phone Number:**
-
-This will suppress ads when searching with Bing on Microsoft Edge when the PC is connected to the school network.
-
#### Azure AD and Office 365 Education tenant
To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
@@ -185,6 +161,8 @@ To suppress ads when searching with Bing on Microsoft Edge on any network, follo
2. Domain join the Windows 10 PCs to your Azure AD tenant (this is the same as your Office 365 tenant).
3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
4. Have students sign in with their Azure AD identity, which is the same as your Office 365 identity, to use the PC.
+> [!NOTE]
+> If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time.
#### Office 365 sign-in to Bing
To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps:
@@ -192,8 +170,6 @@ To suppress ads only when the student signs into Bing with their Office 365 acco
1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
2. Have students sign into Bing with their Office 365 account.
-### More information
-For more information on all the possible Bing configuration methods, see https://aka.ms/e4ahor.
## Related topics
[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index c081cfa696..280778ccb4 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -558,16 +558,16 @@ Complete the following steps to select the appropriate Office 365 Education lice
1. Determine the number of faculty members and students who will use the classroom. Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.
-2. Determine the faculty members and students who need to install Microsoft Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 8 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
+2. Determine the faculty members and students who need to install Microsoft Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Microsoft 365 Apps for enterprise plans). Table 8 lists the advantages and disadvantages of standard and Microsoft 365 Apps for enterprise plans.
|Plan |Advantages |Disadvantages |
|----- |----------- |------------- |
- |Office 365 Education |
|
|
- |Office 365 ProPlus |
|
|
+ |Office 365 Education |
|
|
+ |Microsoft 365 Apps for enterprise |
|
|
- *Table 8. Comparison of standard and Office 365 ProPlus plans*
+ *Table 8. Comparison of standard and Microsoft 365 Apps for enterprise plans*
- The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
+ The best user experience is to run Microsoft 365 Apps for enterprise or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
3. Determine whether students or faculty need Azure Rights Management.
@@ -1259,7 +1259,7 @@ Your MDT deployment share and Microsoft Endpoint Configuration Manager are now r
## Capture the reference image
-The reference device is a device that you use as the template for all the other devices in your district. On this device, you install any Windows desktop apps the classroom needs. For example, install the Windows desktop apps for Office 365 ProPlus if you selected that student license plan.
+The reference device is a device that you use as the template for all the other devices in your district. On this device, you install any Windows desktop apps the classroom needs. For example, install the Windows desktop apps for Microsoft 365 Apps for enterprise if you selected that student license plan.
After you deploy Windows 10 and the desktop apps to the reference device, you capture an image of the device (the reference image). You import the reference image to an MDT deployment share or into Configuration Manager. Finally, you create a task sequence to deploy the reference image to faculty and student devices.
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index f582026716..5631f3e6ab 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -173,9 +173,9 @@ Complete the following steps to select the appropriate Office 365 Education lice
Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.
-Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans
+Table 1. Comparison of standard and Microsoft Microsoft 365 Apps for enterprise plans
Standard Standard Office ProPlus
-The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
+The best user experience is to run Microsoft 365 Apps for enterprise or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see Azure Rights Management.
@@ -506,7 +506,7 @@ Assign SharePoint Online resource permissions to Office 365 security groups, not
**Note** If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
-For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+For information about creating security groups, see [Create and manage Microsoft 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
You can add and remove users from security groups at any time.
@@ -520,7 +520,7 @@ You can create email distribution groups based on job role (such as teachers, ad
**Note** Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps.
-For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+For information about how to create security groups, see [Create and manage Microsoft 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
### Summary
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 3149237ba1..de941be3c6 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -83,7 +83,7 @@ Applies to: IT admins
Self-service sign up makes it easier for teachers and students in your organization to get started with **Minecraft: Education Edition**. If you have self-service sign up enabled in your tenant, teachers can assign **Minecraft: Education Edition** to students before they have a work or school account. Students receive an email that steps them through the process of signing up for a work or school account. For more information on self-service sign up, see [Using self-service sign up in your organization](https://support.office.com/article/Using-self-service-sign-up-in-your-organization-4f8712ff-9346-4c6c-bb63-a21ad7a62cbd?ui=en-US&rs=en-US&ad=US).
### Domain verification
-For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Office 365 portal. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US).
+For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Microsoft 365 admin center. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US).
## Acquire apps
Applies to: IT admins and teachers
diff --git a/education/windows/images/edu-districtdeploy-fig1.png b/education/windows/images/edu-districtdeploy-fig1.png
index a9ed962f95..9e9cd6c238 100644
Binary files a/education/windows/images/edu-districtdeploy-fig1.png and b/education/windows/images/edu-districtdeploy-fig1.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig2.png b/education/windows/images/edu-districtdeploy-fig2.png
index 3838c18153..dfa00a0132 100644
Binary files a/education/windows/images/edu-districtdeploy-fig2.png and b/education/windows/images/edu-districtdeploy-fig2.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig4.png b/education/windows/images/edu-districtdeploy-fig4.png
index c55ee20d47..ca07e5a968 100644
Binary files a/education/windows/images/edu-districtdeploy-fig4.png and b/education/windows/images/edu-districtdeploy-fig4.png differ
diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md
index 7d74f93c5d..fe8d0d640e 100644
--- a/education/windows/set-up-school-pcs-whats-new.md
+++ b/education/windows/set-up-school-pcs-whats-new.md
@@ -21,7 +21,7 @@ Learn what’s new with the Set up School PCs app each week. Find out about new
## Week of September 23, 2019
### Easier way to deploy Office 365 to your classroom devices
- Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Office 365 ProPlus. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams.
+ Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams.
## Week of June 24, 2019
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index c326ec1cba..69d4efc9c1 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -20,7 +20,7 @@ manager: dansimp
- Windows 10
-Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test.
+Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test.
Follow the guidance in this topic to set up Take a Test on multiple PCs.
@@ -130,7 +130,7 @@ To set up a test account through Windows Configuration Designer, follow these st
1. [Install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd).
2. Create a provisioning package by following the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-for-initial-deployment). However, make a note of these other settings to customize the test account.
- 1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtine settings**.
+ 1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**.
2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
@@ -211,7 +211,7 @@ Anything hosted on the web can be presented in a locked down manner, not just as
For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
- To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
+ To get started, go here: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
- Create a link using schema activation
@@ -255,7 +255,7 @@ One of the ways you can present content in a locked down manner is by embedding
See [Permissive mode](take-a-test-app-technical.md#permissive-mode) and [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info.
### Create a shortcut for the test link
-You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
+You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 41fbb7b7fd..1286a5aec8 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -66,7 +66,7 @@ Anything hosted on the web can be presented in a locked down manner, not just as
For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
- To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
+ To get started, go here: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
- Create a link using schema activation
@@ -117,7 +117,7 @@ One of the ways you can present content in a locked down manner is by embedding
### Create a shortcut for the test link
-You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
+You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index fed3ff8374..7e016c22c0 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -34,8 +34,12 @@ Many schools use online testing for formative and summative assessments. It's cr
-There are several ways to configure devices for assessments. You can:
-- **Configure an assessment URL and a dedicated testing account**
+There are several ways to configure devices for assessments, depending on your use case:
+
+- For higher stakes testing such as mid-term exams, you can set up a device with a dedicated testing account and URL.
+- For lower stakes assessments such as a quick quiz in a class, you can quickly create and distribute the assessment URL through any method of your choosing.
+
+1. **Configure an assessment URL and a dedicated testing account**
In this configuration, a user signs into in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
@@ -58,9 +62,9 @@ There are several ways to configure devices for assessments. You can:
For more info about these methods, see [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md).
-- **Distribute the assessment URL through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link**
+2. **Create and distribute the assessment URL through the web, email, OneNote, or any other method**
- This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
+ This allows teachers and test administrators an easier way to deploy assessments quickly and simply. We recommend this method for lower stakes assessments. You can also create shortcuts to distribute the link.
You can enable this using a schema activation.
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 501e3f3249..136499ee4c 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -93,7 +93,7 @@ Enter email addresses for your students, and each student will get an email with
You can assign the app to students with work or school accounts.
- If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Office 365 portal where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin.
+ If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin.
**To finish Minecraft install (for students)**
diff --git a/images/screenshot1.png b/images/screenshot1.png
new file mode 100644
index 0000000000..ed62740e92
Binary files /dev/null and b/images/screenshot1.png differ
diff --git a/images/screenshot10.png b/images/screenshot10.png
new file mode 100644
index 0000000000..5cb1567235
Binary files /dev/null and b/images/screenshot10.png differ
diff --git a/images/screenshot11.png b/images/screenshot11.png
new file mode 100644
index 0000000000..0ce852ebaa
Binary files /dev/null and b/images/screenshot11.png differ
diff --git a/images/screenshot12.png b/images/screenshot12.png
new file mode 100644
index 0000000000..cd85d80c7e
Binary files /dev/null and b/images/screenshot12.png differ
diff --git a/images/screenshot2.png b/images/screenshot2.png
new file mode 100644
index 0000000000..fb7995600e
Binary files /dev/null and b/images/screenshot2.png differ
diff --git a/images/screenshot3.png b/images/screenshot3.png
new file mode 100644
index 0000000000..07e01661c5
Binary files /dev/null and b/images/screenshot3.png differ
diff --git a/images/screenshot4.png b/images/screenshot4.png
new file mode 100644
index 0000000000..ab1f083c71
Binary files /dev/null and b/images/screenshot4.png differ
diff --git a/images/screenshot5.png b/images/screenshot5.png
new file mode 100644
index 0000000000..0ec6fda3a7
Binary files /dev/null and b/images/screenshot5.png differ
diff --git a/images/screenshot6.png b/images/screenshot6.png
new file mode 100644
index 0000000000..2f3284ee77
Binary files /dev/null and b/images/screenshot6.png differ
diff --git a/images/screenshot7.png b/images/screenshot7.png
new file mode 100644
index 0000000000..e3d80a3ac9
Binary files /dev/null and b/images/screenshot7.png differ
diff --git a/images/screenshot8.png b/images/screenshot8.png
new file mode 100644
index 0000000000..f85eaffdff
Binary files /dev/null and b/images/screenshot8.png differ
diff --git a/images/screenshot9.png b/images/screenshot9.png
new file mode 100644
index 0000000000..f617991a63
Binary files /dev/null and b/images/screenshot9.png differ
diff --git a/mdop/agpm/agpm-4-navengl.md b/mdop/agpm/agpm-4-navengl.md
index 76b3146249..d9b63043f8 100644
--- a/mdop/agpm/agpm-4-navengl.md
+++ b/mdop/agpm/agpm-4-navengl.md
@@ -25,7 +25,8 @@ ms.date: 06/16/2016
- [Release Notes for Microsoft Advanced Group Policy Management 4.0](release-notes-for-microsoft-advanced-group-policy-management-40.md)
-
+> [!NOTE]
+> Advanced Group Policy Management (AGPM) 4.0 will be end of life on January 12, 2021. Please upgrade to a supported version, such as AGPM 4.0 with Service Pack 3 prior to this date.
diff --git a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
index abe185ad6b..5fa848da03 100644
--- a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
+++ b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
@@ -45,9 +45,9 @@ For more information about AGPM, see the following:
- [Advanced Group Policy Management TechNet Library](https://go.microsoft.com/fwlink/?LinkID=146846) (https://go.microsoft.com/fwlink/?LinkID=146846)
-- [Microsoft Desktop Optimization Pack TechCenter](https://go.microsoft.com/fwlink/?LinkId=159870) (http://www.microsoft.com/technet/mdop)
+- [Microsoft Desktop Optimization Pack TechCenter](https://go.microsoft.com/fwlink/?LinkId=159870) (https://www.microsoft.com/technet/mdop)
-- [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkId=145531) (http://www.microsoft.com/gp)
+- [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkId=145531) (https://www.microsoft.com/gp)
## Providing feedback
diff --git a/mdop/appv-v5/about-app-v-50-dynamic-configuration.md b/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
index 8a54d8a0da..03301519d2 100644
--- a/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
+++ b/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
@@ -102,7 +102,7 @@ The structure of the App-V 5.0 Dynamic Configuration file is explained in the fo
**Header** - the header of a dynamic user configuration file is as follows:
-<?xml version="1.0" encoding="utf-8"?><UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
+
+
+
-
+For more information on user configuration files with SQL server 2016 or later, see the [support article](https://support.microsoft.com/help/4548751/app-v-server-publishing-might-fail-when-you-apply-user-configuration-f).
### Publishing server operating system requirements
@@ -303,7 +307,6 @@ The following table lists the SQL Server versions that are supported for the App
## App-V client system requirements
-
The following table lists the operating systems that are supported for the App-V 5.1 client installation.
**Note:** With the Windows 10 Anniversary release (aka 1607 version), the App-V client is in-box and will block installation of any previous version of the App-V client
@@ -416,7 +419,6 @@ App-V adds no additional requirements beyond those of Windows Server.
## Sequencer system requirements
-
The following table lists the operating systems that are supported for the App-V 5.1 Sequencer installation.
@@ -145,7 +149,7 @@ The following table lists the SQL Server versions that are supported for the App
@@ -479,7 +481,6 @@ See the Windows or Windows Server documentation for the hardware requirements. A
## Supported versions of System Center Configuration Manager
-
The App-V client supports the following versions of System Center Configuration Manager:
- Microsoft System Center 2012 Configuration Manager
@@ -543,23 +544,8 @@ The following App-V and System Center Configuration Manager version matrix shows
For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx).
-
-
-
-
-
## Related topics
-
[Planning to Deploy App-V](planning-to-deploy-app-v51.md)
[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md
index c781eb4fea..a2dc196c47 100644
--- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md
+++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md
@@ -20,7 +20,7 @@ ms.date: 06/16/2016
After you have properly deployed the Microsoft Application Virtualization (App-V) 5.1 sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application.
**Note**
-For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).
+For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx).
**Note**
The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated.
diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
index 6ac193ddbc..ec3642bc65 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
@@ -101,7 +101,7 @@ Before you deploy Office by using App-V, review the following requirements.
-
-
-
@@ -348,7 +348,7 @@ After you download the Office 2016 applications through the Office Deployment To
The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make.
->**Note** You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
+>**Note** You can use the Office Deployment Tool to create App-V packages for Microsoft 365 Apps for enterprise. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
Channel="Deferred"
-
@@ -348,7 +348,7 @@ After you download the Office 2016 applications through the Office Deployment To
The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make.
->**Note** You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
+>**Note** You can use the Office Deployment Tool to create App-V packages for Microsoft 365 Apps for enterprise. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
Branch = "Business"
-> Note There is no device ID claim in the access token because the device may not yet be enrolled at this time.
+> [!NOTE]
+> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
-
To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654).
Here's an example URL.
-``` syntax
+```console
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
@@ -390,7 +392,7 @@ If an error was encountered during the terms of use processing, the MDM can retu
Here is the URL format:
-``` syntax
+```console
HTTP/1.1 302
Location:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**Parameter Definitions**
-
-**General Parameters**
-
-
-
-
-
-
-
-
-
-
-
-
-
-**Management Server Installation Parameters**
-
-
-
-
-
-Parameter
-Information
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**Parameters for the Management Server Database**
-
-
-
-
-
-Parameter
-Information
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**Parameters for Installing Publishing Server**
-
-
-
-
-
-Parameter
-Information
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**Parameters for Reporting Server**
-
-
-
-
-
-Parameter
-Information
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**Parameters for using an Existing Reporting Server Database**
-
-
-
-
-
-Parameter
-Information
-
-
-
-
-
-
-
-
-
-
-
-
-**Parameters for installing Reporting Server Database**
-
-
-
-
-
-Parameter
-Information
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**Parameters for using an existing Management Server Database**
-
-
-
-
-
-Parameter
-Information
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-~~~
+## Install the App-V 5.1 server using a script
+- Use the following information about installing the App-V 5.1 server using the command line.
+ > [!NOTE]
+ > The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**.
+
+### Install the Management server and Management database on a local machine
+
+The following parameters are valid with both the default and custom instance of Microsoft SQL Server:
+
+- /MANAGEMENT_SERVER
+- /MANAGEMENT_ADMINACCOUNT
+- /MANAGEMENT_WEBSITE_NAME
+- /MANAGEMENT_WEBSITE_PORT
+- /DB_PREDEPLOY_MANAGEMENT
+- /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
+- /MANAGEMENT_DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server**
+
+```dos
+appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" /MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" /MANAGEMENT_WEBSITE_PORT="8080" /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /MANAGEMENT_DB_NAME="AppVManagement"
+```
+
+### Install the Management server using an existing Management database on a local machine
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /MANAGEMENT_SERVER
+- /MANAGEMENT_ADMINACCOUNT
+- /MANAGEMENT_WEBSITE_NAME
+- /MANAGEMENT_WEBSITE_PORT
+- /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
+- */EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT*
+- /EXISTING_MANAGEMENT_DB_NAME
+
+To use a custom instance of Microsoft SQL Server, use the following parameters (difference from default instance in *italic*):
+
+- /MANAGEMENT_SERVER
+- /MANAGEMENT_ADMINACCOUNT
+- /MANAGEMENT_WEBSITE_NAME
+- /MANAGEMENT_WEBSITE_PORT
+- /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
+- */EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE*
+- /EXISTING_MANAGEMENT_DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server**
+
+```dos
+appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" /MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" /MANAGEMENT_WEBSITE_PORT="8080" /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE ="SqlInstanceName" /EXISTING_MANAGEMENT_DB_NAME ="AppVManagement"
+```
+
+### Install the Management server using an existing Management database on a remote machine
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /MANAGEMENT_SERVER
+- /MANAGEMENT_ADMINACCOUNT
+- /MANAGEMENT_WEBSITE_NAME
+- /MANAGEMENT_WEBSITE_PORT
+- /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME
+- */EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT*
+- /EXISTING_MANAGEMENT_DB_NAME
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /MANAGEMENT_SERVER
+- /MANAGEMENT_ADMINACCOUNT
+- /MANAGEMENT_WEBSITE_NAME
+- /MANAGEMENT_WEBSITE_PORT
+- /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME
+- */EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE*
+- /EXISTING_MANAGEMENT_DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /MANAGEMENT_SERVER /MANAGEMENT_ADMINACCOUNT="Domain\AdminGroup" /MANAGEMENT_WEBSITE_NAME="Microsoft AppV Management Service" /MANAGEMENT_WEBSITE_PORT="8080" /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME="SqlServermachine.domainName" /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE ="SqlInstanceName" /EXISTING_MANAGEMENT_DB_NAME ="AppVManagement"
+```
+
+### Install the Management database and the Management Server on the same computer
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /DB_PREDEPLOY_MANAGEMENT
+- */MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT*
+- /MANAGEMENT_DB_NAME
+- /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
+- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /DB_PREDEPLOY_MANAGEMENT
+- */MANAGEMENT_DB_CUSTOM_SQLINSTANCE*
+- /MANAGEMENT_DB_NAME
+- /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
+- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
+
+**Example: Using a custom instance of Microsoft SQL Server**
+
+```dos
+appv_server_setup.exe /QUIET /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /MANAGEMENT_DB_NAME="AppVManagement" /MANAGEMENT_SERVER_MACHINE_USE_LOCAL /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount"
+```
+
+### Install the Management database on a different computer than the Management server
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /DB_PREDEPLOY_MANAGEMENT
+- */MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT*
+- /MANAGEMENT_DB_NAME
+- /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT
+- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /DB_PREDEPLOY_MANAGEMENT
+- */MANAGEMENT_DB_CUSTOM_SQLINSTANCE*
+- /MANAGEMENT_DB_NAME
+- /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT
+- /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
+
+**Example: Using a custom instance of Microsoft SQL Server**
+
+```dos
+appv_server_setup.exe /QUIET /DB_PREDEPLOY_MANAGEMENT /MANAGEMENT_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /MANAGEMENT_DB_NAME="AppVManagement" /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount" /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount"
+```
+
+### Install the publishing server
+
+To use the default instance of Microsoft SQL Server, use the following parameters:
+
+- /PUBLISHING_SERVER
+- /PUBLISHING_MGT_SERVER
+- /PUBLISHING_WEBSITE_NAME
+- /PUBLISHING_WEBSITE_PORT
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /PUBLISHING_SERVER /PUBLISHING_MGT_SERVER="http://ManagementServerName:ManagementPort" /PUBLISHING_WEBSITE_NAME="Microsoft AppV Publishing Service" /PUBLISHING_WEBSITE_PORT="8081"
+```
+
+### Install the Reporting server and Reporting database on a local machine
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /REPORTING _SERVER
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /DB_PREDEPLOY_REPORTING
+- */REPORTING _DB_SQLINSTANCE_USE_DEFAULT*
+- /REPORTING _DB_NAME
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /REPORTING _SERVER
+- */REPORTING _ADMINACCOUNT*
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /DB_PREDEPLOY_REPORTING
+- */REPORTING _DB_CUSTOM_SQLINSTANCE*
+- /REPORTING _DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" /REPORTING_WEBSITE_PORT="8082" /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /REPORTING_DB_NAME="AppVReporting"
+```
+
+### Install the Reporting server and using an existing Reporting database on a local machine
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /REPORTING _SERVER
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
+- */EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT*
+- /EXISTING_REPORTING _DB_NAME
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /REPORTING _SERVER
+- */REPORTING _ADMINACCOUNT*
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
+- */EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE*
+- /EXISTING_REPORTING _DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" /REPORTING_WEBSITE_PORT="8082" /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /EXITING_REPORTING_DB_NAME="AppVReporting"
+```
+
+### Install the Reporting server using an existing Reporting database on a remote machine
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /REPORTING _SERVER
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME
+- */EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT*
+- /EXISTING_REPORTING _DB_NAME
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /REPORTING _SERVER
+- */REPORTING _ADMINACCOUNT*
+- /REPORTING _WEBSITE_NAME
+- /REPORTING _WEBSITE_PORT
+- /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME
+- */EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE*
+- /EXISTING_REPORTING _DB_NAME
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /REPORTING_SERVER /REPORTING_WEBSITE_NAME="Microsoft AppV Reporting Service" /REPORTING_WEBSITE_PORT="8082" /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME="SqlServerMachine.DomainName" /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /EXITING_REPORTING_DB_NAME="AppVReporting"
+```
+
+### Install the Reporting database on the same computer as the Reporting server
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /DB_PREDEPLOY_REPORTING
+- */REPORTING _DB_SQLINSTANCE_USE_DEFAULT*
+- /REPORTING _DB_NAME
+- /REPORTING_SERVER_MACHINE_USE_LOCAL
+- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /DB_PREDEPLOY_REPORTING
+- */REPORTING _DB_CUSTOM_SQLINSTANCE*
+- /REPORTING _DB_NAME
+- /REPORTING_SERVER_MACHINE_USE_LOCAL
+- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+appv_server_setup.exe /QUIET /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /REPORTING_DB_NAME="AppVReporting" /REPORTING_SERVER_MACHINE_USE_LOCAL /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount"
+```
+
+### Install the Reporting database on a different computer than the Reporting server
+
+To use the default instance of Microsoft SQL Server, use the following parameters (difference from custom instance in *italic*):
+
+- /DB_PREDEPLOY_REPORTING
+- /REPORTING _DB_SQLINSTANCE_USE_DEFAULT
+- /REPORTING _DB_NAME
+- /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT
+- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
+
+To use a custom instance of Microsoft SQL Server, use these parameters (difference from default instance in *italic*):
+
+- /DB_PREDEPLOY_REPORTING
+- /REPORTING _DB_CUSTOM_SQLINSTANCE
+- /REPORTING _DB_NAME
+- /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT
+- /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
+
+**Example: Using a custom instance of Microsoft SQL Server:**
+
+```dos
+ appv_server_setup.exe /QUIET /DB_PREDEPLOY_REPORTING /REPORTING_DB_CUSTOM_SQLINSTANCE="SqlInstanceName" /REPORTING_DB_NAME="AppVReporting" /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT="Domain\MachineAccount" /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="Domain\InstallAdminAccount"
+```
+
+### Parameter Definitions
+
+#### General Parameters
+
+| Parameter | Information |
+|--|--|
+| /QUIET | Specifies silent install. |
+| /UNINSTALL | Specifies an uninstall. |
+| /LAYOUT | Specifies layout action. This extracts the MSIs and script files to a folder without actually installing the product. No value is expected. |
+| /LAYOUTDIR | Specifies the layout directory. Takes a string. Example usage: **/LAYOUTDIR="C:\\Application Virtualization Server"** |
+| /INSTALLDIR | Specifies the installation directory. Takes a string. Example usage: **/INSTALLDIR="C:\\Program Files\\Application Virtualization\\Server"** |
+| /MUOPTIN | Enables Microsoft Update. No value is expected. |
+| /ACCEPTEULA | Accepts the license agreement. This is required for an unattended installation. Example usage: **/ACCEPTEULA** or **/ACCEPTEULA=1** |
+
+#### Management Server Installation Parameters
+
+|Parameter |Information |
+|--|--|
+| /MANAGEMENT_SERVER | Specifies that the management server will be installed. No value is expected |
+| /MANAGEMENT_ADMINACCOUNT | Specifies the account that will be allowed Administrator access to the management server. This can be a user account or a group. Example usage: **/MANAGEMENT_ADMINACCOUNT="mydomain\\admin"**. If **/MANAGEMENT_SERVER** is not specified, this will be ignored. |
+| /MANAGEMENT_WEBSITE_NAME | Specifies name of the website that will be created for the management service. Example usage: **/MANAGEMENT_WEBSITE_NAME="Microsoft App-V Management Service"** |
+| MANAGEMENT_WEBSITE_PORT | Specifies the port number that will be used by the management service will use. Example usage: **/MANAGEMENT_WEBSITE_PORT=82** |
+
+#### Parameters for the Management Server Database
+
+| Parameter | Information |
+|--|--|
+| /DB_PREDEPLOY_MANAGEMENT | Specifies that the management database will be installed. You must have sufficient database permissions to complete this installation. No value is expected. |
+| /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT | Indicates that the default SQL instance should be used. No value is expected. |
+| /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE | Specifies the name of the custom SQL instance that should be used to create a new database. Example usage: **/MANAGEMENT_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"**. If **/DB_PREDEPLOY_MANAGEMENT** is not specified, this will be ignored. |
+| /MANAGEMENT_DB_NAME | Specifies the name of the new management database that should be created. Example usage: **/MANAGEMENT_DB_NAME="AppVMgmtDB"**. If **/DB_PREDEPLOY_MANAGEMENT** is not specified, this will be ignored. |
+| /MANAGEMENT_SERVER_MACHINE_USE_LOCAL | Indicates if the management server that will be accessing the database is installed on the local server. Switch parameter so no value is expected. |
+| /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT | Specifies the machine account of the remote machine that the management server will be installed on. Example usage: **/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT="domain\\computername"** |
+| /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT | Indicates the Administrator account that will be used to install the management server. Example usage: **/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT ="domain\\alias"** |
+
+#### Parameters for Installing Publishing Server
+
+| Parameter | Information |
+|--|--|
+| /PUBLISHING_SERVER | Specifies that the Publishing Server will be installed. No value is expected. |
+| /PUBLISHING_MGT_SERVER | Specifies the URL to Management Service the Publishing server will connect to. Example usage: **http://<management server name>:<Management server port number>**. If **/PUBLISHING_SERVER** is not used, this parameter will be ignored. |
+| /PUBLISHING_WEBSITE_NAME | Specifies name of the website that will be created for the publishing service. Example usage: **/PUBLISHING_WEBSITE_NAME="Microsoft App-V Publishing Service"** |
+| /PUBLISHING_WEBSITE_PORT | Specifies the port number used by the publishing service. Example usage: **/PUBLISHING_WEBSITE_PORT=83** |
+
+#### Parameters for Reporting Server
+
+| Parameter | Information |
+|--|--|
+| /REPORTING_SERVER | Specifies that the Reporting Server will be installed. No value is expected. |
+| /REPORTING_WEBSITE_NAME | Specifies name of the website that will be created for the Reporting Service. Example usage: **/REPORTING_WEBSITE_NAME="Microsoft App-V ReportingService"** |
+| /REPORTING_WEBSITE_PORT | Specifies the port number that the Reporting Service will use. Example usage: **/REPORTING_WEBSITE_PORT=82** |
+
+#### Parameters for using an Existing Reporting Server Database
+
+| Parameter | Information |
+|--|--|
+| /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL | Indicates that the Microsoft SQL Server is installed on the local server. Switch parameter so no value is expected. |
+| /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME | Specifies the name of the remote computer that SQL Server is installed on. Takes a string. Example usage: **/EXISTING_REPORTING_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"** |
+| /EXISTING_ REPORTING _DB_SQLINSTANCE_USE_DEFAULT | Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. |
+| /EXISTING_ REPORTING_DB_CUSTOM_SQLINSTANCE | Specifies the name of the custom SQL instance that should be used. Takes a string. Example usage: **/EXISTING_REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"** |
+| /EXISTING_ REPORTING _DB_NAME | Specifies the name of the existing Reporting database that should be used. Takes a string. Example usage: **/EXISTING_REPORTING_DB_NAME="AppVReporting"** |
+
+#### Parameters for installing Reporting Server Database
+
+| Parameter | Information |
+|--|--|
+| /DB_PREDEPLOY_REPORTING | Specifies that the Reporting Database will be installed. DBA permissions are required for this installation. No value is expected. |
+| /REPORTING_DB_SQLINSTANCE_USE_DEFAULT | Specifies the name of the custom SQL instance that should be used. Takes a string. Example usage: **/REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"** |
+| /REPORTING_DB_NAME | Specifies the name of the new Reporting database that should be created. Takes a string. Example usage: **/REPORTING_DB_NAME="AppVMgmtDB"** |
+| /REPORTING_SERVER_MACHINE_USE_LOCAL | Indicates that the Reporting server that will be accessing the database is installed on the local server. Switch parameter so no value is expected. |
+| /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT | Specifies the machine account of the remote machine that the Reporting server will be installed on. Takes a string. Example usage: **/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT="domain\computername"** |
+| /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT | Indicates the Administrator account that will be used to install the App-V Reporting Server. Takes a string. Example usage: **/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT="domain\\alias"** |
+
+#### Parameters for using an existing Management Server Database
+
+| Parameter | Information |
+|--|--|
+| /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL | Indicates that the SQL Server is installed on the local server. Switch parameter so no value is expected.If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. |
+| /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME | Specifies the name of the remote computer that SQL Server is installed on. Takes a string. Example usage: **/EXISTING_MANAGEMENT_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"** |
+| /EXISTING_ MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT | Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. |
+| /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE | Specifies the name of the custom SQL instance that will be used. Example usage **/EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE="AppVManagement"**. If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. |
+| /EXISTING_MANAGEMENT_DB_NAME | Specifies the name of the existing management database that should be used. Example usage: **/EXISTING_MANAGEMENT_DB_NAME="AppVMgmtDB"**. If **/DB_PREDEPLOY_MANAGEMENT** is specified, this will be ignored. |
+
+Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
-
[Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md
index c8faae6bae..521bf090aa 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md
@@ -13,75 +13,42 @@ ms.prod: w10
ms.date: 06/16/2016
---
-
# How to Deploy the App-V Databases by Using SQL Scripts
-
Use the following instructions to use SQL scripts, rather than the Windows Installer, to:
-- Install the App-V 5.1 databases
+- Install the App-V 5.1 databases
+- Upgrade the App-V databases to a later version
-- Upgrade the App-V databases to a later version
+> [!NOTE]
+> If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not required to upgrade to App-V 5.1.
-**Note**
-If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not required to upgrade to App-V 5.1.
+## How to install the App-V databases by using SQL scripts
+1. Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software.
+1. Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location.
+1. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts.
+ Example: appv\_server\_setup.exe /layout c:\\<_temporary location path_>
-**How to install the App-V databases by using SQL scripts**
+1. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions:
-1. Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software.
+ | Database | Location of Readme.txt file to use |
+ |--|--|
+ | Management database | ManagementDatabase subfolder |
+ | Reporting database | ReportingDatabase subfolder |
-2. Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location.
+> [!CAUTION]
+> The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders.
-3. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts.
-
- Example: appv\_server\_setup.exe /layout c:\\<temporary location path>
-
-4. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions:
-
-
-
-
-
-Parameter
-Information
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-~~~
-**Caution**
-The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders.
-
-
-
-**Important**
-The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
+> [!IMPORTANT]
+> The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340). **Step 1** is not required for versions of App-V later than App-V 5.0 SP3.
-~~~
+## Updated management database README file content
-
-**Updated management database README file content**
-
-``` syntax
+```plaintext
******************************************************************
Before you install and use the Application Virtualization Database Scripts you must:
1.Review the Microsoft Application Virtualization Server 5.0 license terms.
@@ -107,7 +74,7 @@ Steps to install "AppVManagement" schema in SQL SERVER.
2. Ensure the target SQL Server instance and SQL Server Agent service are running.
- 3. If you are not running the scripts directly on the server, ensure the
+ 3. If you are not running the scripts directly on the server, ensure the
necessary SQL Server client software is installed and available from
the specified location. Specifically, the "osql" command must
## be supported for these scripts to run.
@@ -120,7 +87,7 @@ Steps to install "AppVManagement" schema in SQL SERVER.
defaults are likely sufficient, it is suggested that the following
settings be reviewed:
- DATABASE - ensure name is satisfactory - default is "AppVManagement".
+ DATABASE - ensure name is satisfactory - default is "AppVManagement".
2. Review the Permissions.sql file and provide all the necessary account information
for setting up read and write access on the database. Note: Default settings
@@ -130,23 +97,23 @@ Steps to install "AppVManagement" schema in SQL SERVER.
## INSTALLATION:
- 1. Run the database.sql against the "master" database. Your user
+ 1. Run the database.sql against the "master" database. Your user
credential must have the ability to create databases.
This script will create the database.
- 2. Run the following scripts against the "AppVManagement" database using the
+ 2. Run the following scripts against the "AppVManagement" database using the
same account as above in order.
CreateTables.sql
CreateStoredProcs.sql
UpdateTables.sql
-## Permissions.sql
+## Permissions.sql
```
-**Updated reporting database README file content**
+## Updated reporting database README file content
-``` syntax
+```plaintext
******************************************************************
Before you install and use the Application Virtualization Database Scripts you must:
1.Review the Microsoft Application Virtualization Server 5.0 license terms.
@@ -188,7 +155,7 @@ Steps to install "AppVReporting" schema in SQL SERVER.
defaults are likely sufficient, it is suggested that the following
settings be reviewed:
- DATABASE - ensure name is satisfactory - default is "AppVReporting".
+ DATABASE - ensure name is satisfactory - default is "AppVReporting".
2. Review the Permissions.sql file and provide all the necessary account information
for setting up read and write access on the database. Note: Default settings
@@ -203,13 +170,13 @@ Steps to install "AppVReporting" schema in SQL SERVER.
## INSTALLATION:
- 1. Run the database.sql against the "master" database. Your user
+ 1. Run the database.sql against the "master" database. Your user
credential must have the ability to create databases.
This script will create the database.
2. If upgrading the database, run UpgradeDatabase.sql This will upgrade database schema.
- 2. Run the following scripts against the "AppVReporting" database using the
+ 2. Run the following scripts against the "AppVReporting" database using the
same account as above in order.
CreateTables.sql
@@ -222,20 +189,10 @@ Steps to install "AppVReporting" schema in SQL SERVER.
```
-**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
-
[Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)
[How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md
index ed4ef04eb0..152d31ca72 100644
--- a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md
+++ b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md
@@ -13,19 +13,17 @@ ms.prod: w10
ms.date: 06/16/2016
---
-
# How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell
-
Use the following PowerShell procedure to convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by Microsoft SQL Server when running SQL scripts.
Before attempting this procedure, you should read and understand the information and examples displayed in the following list:
-- **.INPUTS** – The account or accounts used to convert to SID format. This can be a single account name or an array of account names.
+- **.INPUTS** – The account or accounts used to convert to SID format. This can be a single account name or an array of account names.
-- **.OUTPUTS** - A list of account names with the corresponding SID in standard and hexadecimal formats.
+- **.OUTPUTS** - A list of account names with the corresponding SID in standard and hexadecimal formats.
-- **Examples** -
+- **Examples** -
**.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List**.
@@ -33,13 +31,10 @@ Before attempting this procedure, you should read and understand the information
**.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200**
- \#>
-
-**To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)**
+## To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)
1. Copy the following script into a text editor and save it as a PowerShell script file, for example **ConvertToSIDs.ps1**.
-
-2. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
+1. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
```powershell
<#
@@ -61,7 +56,7 @@ Before attempting this procedure, you should read and understand the information
function ConvertSIDToHexFormat
{
- param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert)
+ param([System.Security.Principal.SecurityIdentifier]$sidToConvert)
$sb = New-Object System.Text.StringBuilder
[int] $binLength = $sidToConvert.BinaryLength
@@ -79,7 +74,7 @@ Before attempting this procedure, you should read and understand the information
[string]::Format("{0}====== Description ======{0}{0}" +
" Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" +
- " Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" +
+ " Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.ps1 DOMAIN\Account1 DOMAIN\Account2 ...'){0}" +
" The output is written to the console in the format 'Account name SID as string SID as hexadecimal'{0}" +
" And can be written out to a file using standard PowerShell redirection{0}" +
" Please specify user accounts in the format 'DOMAIN\username'{0}" +
@@ -131,17 +126,21 @@ Before attempting this procedure, you should read and understand the information
Write-Output $SIDs
}
}
-3. Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
+ ```
+
+1. Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
For example,
- **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List” or “$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
+ **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List**
+
+ or
+
+ **$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
+ **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200**
- **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”**
-
- **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
-
[Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md)
diff --git a/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md b/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md
index 77c7a3fd6a..ebe96992d3 100644
--- a/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md
+++ b/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md
@@ -13,114 +13,74 @@ ms.prod: w10
ms.date: 06/16/2016
---
-
# How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services
-
Use the following procedure to install the database server and management server on different computers. The computer you plan to install the database server on must be running a supported version of Microsoft SQL or the installation will fail.
-**Note**
-After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases.
+> [!NOTE]
+> After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases.
+## To install the management database and the management server on separate computers
+1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
+1. On the **Getting Started** page, review and accept the license terms, and click **Next**.
+1. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**.
+1. On the **Feature Selection** page, select the components you want to install by selecting the **Management Server Database** checkbox and click **Next**.
+1. On the **Installation Location** page, accept the default location and click **Next**.
+1. On the initial **Create New Management Server Database page**, accept the default selections if appropriate, and click **Next**.
-**To install the management database and the management server on separate computers**
-
-1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
-
-2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
-
-3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
-
-4. On the **Feature Selection** page, select the components you want to install by selecting the **Management Server Database** checkbox and click **Next**.
-
-5. On the **Installation Location** page, accept the default location and click **Next**.
-
-6. On the initial **Create New Management Server Database page**, accept the default selections if appropriate, and click **Next**.
-
- If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.
-
+ If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.\
If you are using a custom database name, then select **Custom configuration** and type the database name.
-7. On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
+1. On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
- **Note**
- If you plan to deploy the management server on the same computer you must select **Use this local computer**.
+ > [!NOTE]
+ > If you plan to deploy the management server on the same computer you must select **Use this local computer**.
+1. Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
+1. To start the installation, click **Install**.
+## To install the reporting database and the reporting server on separate computers
-~~~
-Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
-~~~
-
-8. To start the installation, click **Install**.
-
-**To install the reporting database and the reporting server on separate computers**
-
-1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
-
-2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
-
-3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
-
-4. On the **Feature Selection** page, select the components you want to install by selecting the **Reporting Server Database** checkbox and click **Next**.
-
-5. On the **Installation Location** page, accept the default location and click **Next**.
-
-6. On the initial **Create New Reporting Server Database** page, accept the default selections if appropriate, and click **Next**.
+1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
+1. On the **Getting Started** page, review and accept the license terms, and click **Next**.
+1. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**.
+1. On the **Feature Selection** page, select the components you want to install by selecting the **Reporting Server Database** checkbox and click **Next**.
+1. On the **Installation Location** page, accept the default location and click **Next**.
+1. On the initial **Create New Reporting Server Database** page, accept the default selections if appropriate, and click **Next**.
If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.
-
If you are using a custom database name, then select **Custom configuration** and type the database name.
-7. On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
+1. On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
- **Note**
- If you plan to deploy the reporting server on the same computer you must select **Use this local computer**.
+ > [!NOTE]
+ > If you plan to deploy the reporting server on the same computer you must select **Use this local computer**.
+1. Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
+1. To start the installation, click **Install**.
+## To install the management and reporting databases using App-V 5.1 database scripts
-~~~
-Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
-~~~
+1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on.
+1. To extract the App-V 5.1 database scripts, open a command prompt and specify the location where the installation files are saved and run the following command:
-8. To start the installation, click **Install**.
+ **appv\_server\_setup.exe** **/LAYOUT** **/LAYOUTDIR="InstallationExtractionLocation"**.
-**To install the management and reporting databases using App-V 5.1 database scripts**
+1. After the extraction has been completed, to access the App-V 5.1 database scripts and instructions readme file:
-1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on.
+ - The App-V 5.1 Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**.
+ - The App-V 5.1 Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**.
-2. To extract the App-V 5.1 database scripts, open a command prompt and specify the location where the installation files are saved and run the following command:
+1. For each database, copy the scripts to a share and modify them following the instructions in the readme file.
- **appv\_server\_setup.exe** **/LAYOUT** **/LAYOUTDIR=”InstallationExtractionLocation”**.
+ > [!NOTE]
+ > For more information about modifying the required SIDs contained in the scripts, see [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md).
-3. After the extraction has been completed, to access the App-V 5.1 database scripts and instructions readme file:
+1. Run the scripts on the computer running Microsoft SQL Server.
- - The App-V 5.1 Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**.
-
- - The App-V 5.1 Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**.
-
-4. For each database, copy the scripts to a share and modify them following the instructions in the readme file.
-
- **Note**
- For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md).
-
-
-
-5. Run the scripts on the computer running Microsoft SQL Server.
-
- **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
-
[Deploying App-V 5.1](deploying-app-v-51.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
index 02c3ed99ef..08be8a6ee4 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
@@ -36,7 +36,7 @@ The following procedure does not require an App-V 5.0 management server.
<DeploymentConfiguration
- xmlns="
-
-
-
- Database
- Location of Readme.txt file to use
-
-
-
-
-
- <?xml version="1.0" ?>
<AppConnectionGroup
- xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
+ xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
AppConnectionGroupId="8105CCD5-244B-4BA1-8888-E321E688D2CB"
VersionId="84CE3797-F1CB-4475-A223-757918929EB4"
DisplayName="Contoso Software Connection Group" >
diff --git a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
index 8a87b7ff92..b29a4ff7a9 100644
--- a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
+++ b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
@@ -118,7 +118,7 @@ Before using optional packages, see [Requirements for using optional packages in
<?xml version="1.0" ?>
<AppConnectionGroup
- xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
+ xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
AppConnectionGroupId="8105CCD5-244B-4BA1-8888-E321E688D2CB"
VersionId="84CE3797-F1CB-4475-A223-757918929EB4"
DisplayName="Contoso Software Connection Group" >
diff --git a/mdop/appv-v5/index.md b/mdop/appv-v5/index.md
index c51ad7bc30..8f3c652084 100644
--- a/mdop/appv-v5/index.md
+++ b/mdop/appv-v5/index.md
@@ -21,8 +21,14 @@ Microsoft Application Virtualization (App-V) 5 lets administrators make applicat
[Microsoft Application Virtualization 5.1 Administrator's Guide](microsoft-application-virtualization-51-administrators-guide.md)
+> [!NOTE]
+> Application Virtualization 5.1 for Remote Desktop Services will be end of life on January 10, 2023. Please upgrade to a supported version, such as App-V 5.0 with Service Pack 3 prior to this date.
+
[Microsoft Application Virtualization 5.0 Administrator's Guide](microsoft-application-virtualization-50-administrators-guide.md)
+> [!NOTE]
+> Application Virtualization 5.0 for Windows Desktops will be end of life on January 10, 2023. Please upgrade to a supported version, such as App-V 5.0 with Service Pack 3 prior to this date.
+
## More Information
diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
index d8aa6ae42a..d18673c97f 100644
--- a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
+++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
@@ -476,11 +476,11 @@ Server Performance Tuning Guidelines for
- [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
-- [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
+- [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
- [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
-- [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
+- [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
## Sequencing Steps to Optimize Packages for Publishing Performance
diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
index 936a78123f..c6309edacb 100644
--- a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
+++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
@@ -483,11 +483,11 @@ Server Performance Tuning Guidelines for
- [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
-- [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
+- [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
- [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
-- [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
+- [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
## Sequencing Steps to Optimize Packages for Publishing Performance
diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office.md b/mdop/appv-v5/planning-for-using-app-v-with-office.md
index 7f570f7070..bb0f791a10 100644
--- a/mdop/appv-v5/planning-for-using-app-v-with-office.md
+++ b/mdop/appv-v5/planning-for-using-app-v-with-office.md
@@ -61,7 +61,7 @@ The following table lists the versions of Microsoft Office that App-V supports,
-
For third-party MDM providers or management servers, check your product documentation.
diff --git a/store-for-business/index.md b/store-for-business/index.md
index 71a8c271d1..9ec42cc879 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -2,6 +2,7 @@
title: Microsoft Store for Business and Education (Windows 10)
description: Welcome to the Microsoft Store for Business and Education. You can use Microsoft Store, to find, acquire, distribute, and manage apps for your organization or school.
ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8
+manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -10,7 +11,7 @@ author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.localizationpriority: high
-ms.date: 10/17/2017
+ms.date: 05/14/2020
---
# Microsoft Store for Business and Education
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index cc3bbbad3c..03c3b38bdf 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -45,7 +45,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store
- **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results.
[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections)
- **Manage Skype Communication credits** - Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings.
-- **Upgrade Office 365 trial subscription** - Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 Business to Office 365 Business Premium.
+- **Upgrade Microsoft 365 trial subscription** - Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 for business subscription to a Microsoft 365 for business subscription.
## January and February 2018
- **One place for apps, software, and subscriptions** - The new **Products & services** page in Microsoft Store for Business and Education gives customers a single place to manage all products and services.
@@ -61,7 +61,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store
- **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file.
## October 2017
-- Bug fixes and performance improvements.
+- Bug fixes and performance improvements.
## September 2017
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index 197cff66cb..29d79221c5 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -18,7 +18,7 @@ ms.topic: article
After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application.
-For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](
In App-V and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
If you're deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#deploying-visio-2013-and-project-2013-with-office).|
|Publishing|You can only publish one Office package per client computer.
You must publish the Office package globally, not to the user.|
-|Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.|
+|Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.|
### Excluding Office applications from a package
@@ -285,7 +285,7 @@ Use the steps in this section to enable Office plug-ins with your Office package
#### To enable plug-ins for Office App-V packages
1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet.
-2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It's a good idea to use Office 365 ProPlus (non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
+2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It's a good idea to use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
3. Create an App-V package that includes the desired plug-ins.
4. Add a Connection Group through App-V Server, Configuration Manager, or a Windows PowerShell cmdlet.
5. Add the Office 2013 App-V package and the plug-ins package you sequenced to the Connection Group you created.
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index 8f016604df..ba7107286e 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -1,6 +1,6 @@
---
title: Deploying Microsoft Office 2016 by using App-V (Windows 10)
-description: Deploying Microsoft Office 2016 by using App-V
+description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
@@ -39,7 +39,7 @@ Before you deploy Office with App-V, review the following requirements.
|-----------|-------------------|
| Packaging. | All Office applications that you deploy to users must be in a single package.
In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
If you're deploying Microsoft Visio 2016 and Microsoft Project 2016 at the same time as Office, you must put them all in the same package. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). |
| Publishing. | You can only publish one Office package per client computer.
You must publish the Office package globally, not to the user. |
-| Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer with Remote Desktop Services. | You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus). |
+| Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer with Remote Desktop Services. | You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus). |
### Excluding Office applications from a package
@@ -124,7 +124,7 @@ The XML file included in the Office Deployment Tool specifies the product detail
| Language element | Specifies which language the applications support. | `Language ID="en-us"` |
| Version (attribute of **Add** element) | Optional. Specifies which build the package will use.
Defaults to latest advertised build (as defined in v32.CAB at the Office source). | `16.1.2.3` |
| SourcePath (attribute of **Add** element) | Specifies the location the applications will be saved to. | `Sourcepath = "\\Server\Office2016"` |
- | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
The default is **Deferred** for Office 365 ProPlus and **Current** for Visio Pro for Office 365 and Project Desktop Client.
For more information about update channels, see [Overview of update channels for Office 365 ProPlus](https://docs.microsoft.com/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
`Channel="Deferred"`
`Channel="FirstReleaseDeferred"`
`Channel="FirstReleaseCurrent"` |
+ | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
The default is **Deferred** for Microsoft 365 Apps for enterprise and **Current** for Visio Pro for Office 365 and Project Desktop Client.
For more information about update channels, see [Overview of update channels for Microsoft 365 Apps for enterprise](https://docs.microsoft.com/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
`Channel="Deferred"`
`Channel="FirstReleaseDeferred"`
`Channel="FirstReleaseCurrent"` |
After editing the **configuration.xml** file to specify the desired product, languages, and the location where the Office 2016 applications will be saved to, you can save the configuration file under a name of your choice, such as "Customconfig.xml."
2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2016 applications that will later be converted into an App-V package. The following is an example command:
@@ -152,7 +152,7 @@ After you download the Office 2016 applications through the Office Deployment To
The following table summarizes the values you need to enter in the **Customconfig.xml** file. The steps in the sections that follow the table will specify the exact entries you need to make.
>[!NOTE]
->You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
+>You can use the Office Deployment Tool to create App-V packages for Microsoft 365 Apps for enterprise. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
| Product ID | Subscription licensing |
|---|---|
@@ -268,7 +268,7 @@ The following steps will tell you how to enable Office plug-ins with your Office
#### Enable plug-ins for Office App-V packages
1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet.
-2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer that will be used to sequence the plug-in. We recommend that you use Office 365 ProPlus (non-virtual) on the sequencing computer when sequencing Office 2016 plug-ins.
+2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer that will be used to sequence the plug-in. We recommend that you use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when sequencing Office 2016 plug-ins.
3. Create an App-V package that includes the plug-ins you want.
4. Add a Connection Group through the App-V Server, Configuration Manager, or a Windows PowerShell cmdlet.
5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md
index df7f76ca07..9eb57e8521 100644
--- a/windows/application-management/app-v/appv-evaluating-appv.md
+++ b/windows/application-management/app-v/appv-evaluating-appv.md
@@ -1,6 +1,6 @@
---
title: Evaluating App-V (Windows 10)
-description: Evaluating App-V for Windows 10
+description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
index 3b54154537..e03e524b5a 100644
--- a/windows/application-management/app-v/appv-maintaining-appv.md
+++ b/windows/application-management/app-v/appv-maintaining-appv.md
@@ -1,6 +1,6 @@
---
title: Maintaining App-V (Windows 10)
-description: Maintaining App-V
+description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index dac8271c33..da919b1dbf 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -30,7 +30,7 @@ You can use the App-V Sequencer to create plug-in packages for language packs, l
For a list of supported Office products, see [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click).
>[!NOTE]
->You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Office 365 ProPlus. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744).
+>You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Microsoft 365 Apps for enterprise. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744).
## Using App-V with coexisting versions of Office
diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md
index 57989881e0..991209bd1b 100644
--- a/windows/application-management/app-v/appv-preparing-your-environment.md
+++ b/windows/application-management/app-v/appv-preparing-your-environment.md
@@ -1,13 +1,13 @@
---
title: Preparing Your Environment for App-V (Windows 10)
-description: Preparing Your Environment for App-V
-author: lomayor
+description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V).
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
+author: dansimp
manager: dansimp
ms.author: dansimp
ms.topic: article
diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
index cd4469abe5..565f150699 100644
--- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to publish a package by using the Management console (Windows 10)
-description: How to publish a package by using the Management console.
+description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
index a39eca9e4d..ebab019584 100644
--- a/windows/application-management/app-v/appv-supported-configurations.md
+++ b/windows/application-management/app-v/appv-supported-configurations.md
@@ -51,12 +51,15 @@ The following table lists the SQL Server versions that the App-V Management data
|SQL Server version|Service pack|System architecture|
|---|---|---|
+|Microsoft SQL Server 2019||32-bit or 64-bit|
|Microsoft SQL Server 2017||32-bit or 64-bit|
|Microsoft SQL Server 2016|SP2|32-bit or 64-bit|
|Microsoft SQL Server 2014||32-bit or 64-bit|
|Microsoft SQL Server 2012|SP2|32-bit or 64-bit|
|Microsoft SQL Server 2008 R2|SP3|32-bit or 64-bit|
+For more information on user configuration files with SQL server 2016 or later, see the [support article](https://support.microsoft.com/help/4548751/app-v-server-publishing-might-fail-when-you-apply-user-configuration-f).
+
### Publishing server operating system requirements
The App-V Publishing server can be installed on a server that runs Windows Server 2008 R2 with SP1 or later.
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 7b5828d9c2..c27ad32063 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -2,7 +2,7 @@
title: Windows 10 - Apps
ms.reviewer:
manager: dansimp
-description: What are Windows, UWP, and Win32 apps
+description: Use this article to understand the different types of apps that run on Windows 10, such as UWP and Win32 apps.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -31,64 +31,61 @@ The following tables list the system apps, installed Windows apps, and provision
Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running.
-
## Provisioned Windows apps
-Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809.
+You can list all provisioned Windows apps with this PowerShell command:
-> [!TIP]
-> You can list all provisioned Windows apps with this PowerShell command:
-> ```
-> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
-> ```
+```Powershell
+Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
+```
-
-
-| Package name | App name | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? |
-|----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
-| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | | Yes |
-| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App |
-| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | | | x | No |
-| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | | | x | No |
-| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | | x | No |
-| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No |
-| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.VP9VideoExtensions | | | | | x | No |
-| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | | x | x | No |
-| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | | | x | No |
-| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No |
-| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | | x | x | No |
-| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No |
-| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | | | x | No |
-| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No |
+Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, and 1909.
+| Package name | App name | 1803 | 1809 | 1903 | 1909 | Uninstall through UI? |
+|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
+| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes |
+| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App |
+| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | |
+| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No |
+| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.VP9VideoExtensions | | | x | x | x | No |
+| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No |
+| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No |
+| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No |
>[!NOTE]
>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
@@ -97,13 +94,11 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1709, 1803, and 1809.
-> [!TIP]
-> You can list all system apps with this PowerShell command:
-> ```
-> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
-> ```
+You can list all system apps with this PowerShell command:
-
+```Powershell
+Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
+```
| Name | Package Name | 1709 | 1803 | 1809 |Uninstall through UI? |
|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------|
@@ -149,7 +144,7 @@ System apps are integral to the operating system. Here are the typical system ap
> [!NOTE]
-> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
+> The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
## Installed Windows apps
diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md
index fdb6834a7a..e7e6041a1d 100644
--- a/windows/application-management/change-history-for-application-management.md
+++ b/windows/application-management/change-history-for-application-management.md
@@ -1,6 +1,6 @@
---
title: Change history for Application management in Windows 10 (Windows 10)
-description: View changes to documentation for application management in Windows 10.
+description: View new release information and updated topics in the documentation for application management in Windows 10.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 1100a66787..4245e9fb23 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -1,6 +1,6 @@
---
title: Per-user services in Windows 10 and Windows Server
-description: Learn about per-user services introduced in Windows 10.
+description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index 124846eb32..4af9868736 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -2,7 +2,7 @@
title: Advanced Troubleshooting 802.1X Authentication
ms.reviewer:
manager: dansimp
-description: Learn how 802.1X Authentication works
+description: Troubleshoot authentication flow by learning how 802.1X Authentication works for wired and wireless clients.
keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
@@ -73,7 +73,7 @@ The following article explains how to analyze CAPI2 event logs:
When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication:
-
+
If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples:
diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md
index e866b0d7c4..58f94bd27e 100644
--- a/windows/client-management/data-collection-for-802-authentication.md
+++ b/windows/client-management/data-collection-for-802-authentication.md
@@ -2,7 +2,7 @@
title: Data collection for troubleshooting 802.1X authentication
ms.reviewer:
manager: dansimp
-description: Data needed for reviewing 802.1X Authentication issues
+description: Use the steps in this article to collect data that can be used to troubleshoot 802.1X authentication issues.
keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data
ms.prod: w10
ms.mktglfcycl:
diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md
index 6601e238eb..52a10357c5 100644
--- a/windows/client-management/generate-kernel-or-complete-crash-dump.md
+++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
ms.author: delhan
ms.date: 8/28/2019
ms.reviewer:
-manager: dcscontentpm
+manager: willchen
---
# Generate a kernel or complete crash dump
@@ -61,7 +61,7 @@ If you can log on while the problem is occurring, you can use the Microsoft Sysi
2. Select **Start**, and then select **Command Prompt**.
3. At the command line, run the following command:
- ```cmd
+ ```console
notMyfault.exe /crash
```
@@ -80,6 +80,7 @@ To do this, follow these steps:
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
1. In Registry Editor, locate the following registry subkey:
+
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl**
2. Right-click **CrashControl**, point to **New**, and then click **DWORD Value**.
@@ -101,6 +102,8 @@ To do this, follow these steps:
9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction.
+If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](https://docs.microsoft.com/azure/virtual-machines/linux/serial-console-nmi-sysrq).
+
### Use the keyboard
[Forcing a System Crash from the Keyboard](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard)
@@ -108,4 +111,3 @@ To do this, follow these steps:
### Use Debugger
[Forcing a System Crash from the Debugger](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger)
-
diff --git a/windows/client-management/index.md b/windows/client-management/index.md
index 3838366e1a..477c88252a 100644
--- a/windows/client-management/index.md
+++ b/windows/client-management/index.md
@@ -1,6 +1,6 @@
---
title: Client management (Windows 10)
-description: Windows 10 client management
+description: Learn about the administrative tools, tasks and best practices for managing Windows 10 and Windows 10 Mobile clients across your enterprise.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
index 688b2e776c..0511eea424 100644
--- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
@@ -31,7 +31,7 @@ When a device running Windows 10 Mobile is joined to Azure AD, the device can e
- Single sign-on (SSO) in applications like Mail, Word, and OneDrive using resources backed by Azure AD.
-- SSO in Microsoft Edge browser to Azure AD-connected web applications like Office 365 Portal, Visual Studio, and more than [2500 non-Microsoft apps](https://go.microsoft.com/fwlink/p/?LinkID=746211).
+- SSO in Microsoft Edge browser to Azure AD-connected web applications like Microsoft 365 admin center, Visual Studio, and more than [2500 non-Microsoft apps](https://go.microsoft.com/fwlink/p/?LinkID=746211).
- SSO to resources on-premises.
@@ -177,7 +177,7 @@ The OneDrive application also uses SSO, showing you all your documents and enabl
-In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Office 365 portal, and OneDrive for Business.
+In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Microsoft 365 admin center, and OneDrive for Business.
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index 9d7b5546ff..35227e3c16 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -15,23 +15,18 @@ ms.topic: article
# Create mandatory user profiles
-
**Applies to**
-- Windows 10
+- Windows 10
+A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
+Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
-A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
-
-Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
-
-When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile.
+When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile.
User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
-
-
## Profile extension for each Windows version
The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.
@@ -45,121 +40,112 @@ The name of the folder in which you store the mandatory profile must use the cor
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809 and 1903 | Windows Server 2016 and Windows Server 2019 | v6 |
-For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
+For more information, see [Deploy Roaming User Profiles, Appendix B](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
-## How to create a mandatory user profile
+## Mandatory user profile
First, you create a default user profile with the customizations that you want, run Sysprep with CopyProfile set to **True** in the answer file, copy the customized default user profile to a network share, and then you rename the profile to make it mandatory.
-**To create a default user profile**
+### How to create a default user profile
1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account.
> [!NOTE]
> Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
-2. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.
+1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.
- >[!NOTE]
- >Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
+ > [!NOTE]
+ > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
-3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
+1. [Create an answer file (Unattend.xml)](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
-3. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=winserver2012-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10).
+1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10).
+ > [!NOTE]
+ > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
- >[!NOTE]
- >It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
+1. At a command prompt, type the following command and press **ENTER**.
-3. At a command prompt, type the following command and press **ENTER**.
+ ```dos
+ sysprep /oobe /reboot /generalize /unattend:unattend.xml
+ ```
- `sysprep /oobe /reboot /generalize /unattend:unattend.xml`
-
- (Sysprep.exe is located at: C:\Windows\System32\sysprep. By default, Sysprep looks for unattend.xml in this same folder.)
+ (Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.)
> [!TIP]
- > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\System32\Sysprep\Panther\setupact.log and look for an entry like the following:
- >
+ > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
+ >
> 
- >
- > Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
+ >
+ > Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
-4. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges.
+1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges.
-5. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section.
+1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section.
-6. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
+1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
-7. In **Copy To**, under **Permitted to use**, click **Change**.
+1. In **Copy To**, under **Permitted to use**, click **Change**.
-8. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
+1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
-9. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#extension) for the operating system version. For example, the folder name must end with “.v6” to identify it as a user profile folder for Windows 10, version 1607.
+1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607.
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
- - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
+ - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
- 
+ 
-10. Click **OK** to copy the default user profile.
+1. Click **OK** to copy the default user profile.
+### How to make the user profile mandatory
-**To make the user profile mandatory**
+1. In File Explorer, open the folder where you stored the copy of the profile.
+ > [!NOTE]
+ > If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes.
-3. In File Explorer, open the folder where you stored the copy of the profile.
+1. Rename `Ntuser.dat` to `Ntuser.man`.
- >[!NOTE]
- >If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes.
-
-4. Rename `Ntuser.dat` to `Ntuser.man`.
-
-## How to apply a mandatory user profile to users
+## Apply a mandatory user profile to users
In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server.
-**To apply a mandatory user profile to users**
+### How to apply a mandatory user profile to users
1. Open **Active Directory Users and Computers** (dsa.msc).
-2. Navigate to the user account that you will assign the mandatory profile to.
+1. Navigate to the user account that you will assign the mandatory profile to.
-3. Right-click the user name and open **Properties**.
+1. Right-click the user name and open **Properties**.
-4. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\profile.v6, you would enter \\\\*server*\profile.
+1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile.
-5. Click **OK**.
+1. Click **OK**.
It may take some time for this change to replicate to all domain controllers.
-
-
## Apply policies to improve sign-in time
When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.)
-
| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
| --- | --- | --- | --- | --- |
| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled |  |  |  |  |
| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled |  |  |  |  |
| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled |  |  |  |  |
-> [!Note]
+> [!NOTE]
> The Group Policy settings above can be applied in Windows 10 Professional edition.
-
-
-
-
## Related topics
- [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies)
- [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps)
- [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight)
- [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)
-
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 9241a7fdf7..476d73c694 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -159,15 +159,15 @@
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
#### [Policy DDF file](policy-ddf-file.md)
-#### [Policies supported by Group Policy](policies-supported-by-group-policy.md)
-#### [ADMX-backed policies](policies-admx-backed.md)
-#### [Policies supported by HoloLens 2](policies-supported-by-hololens2.md)
-#### [Policies supported by HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md)
-#### [Policies supported by HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md)
-#### [Policies supported by Windows 10 IoT Enterprise](policies-supported-by-iot-enterprise.md)
-#### [Policies supported by Windows 10 IoT Core](policies-supported-by-iot-core.md)
-#### [Policies supported by Microsoft Surface Hub](policies-supported-by-surface-hub.md)
-#### [Policies that can be set using Exchange Active Sync (EAS)](policies-that-can-be-set-using-eas.md)
+#### [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md)
+#### [ADMX-backed policy CSPs](policy-csps-admx-backed.md)
+#### [Policy CSPs supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
+#### [Policy CSPs supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
+#### [Policy CSPs supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
+#### [Policy CSPs supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
+#### [Policy CSPs supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
+#### [Policy CSPs supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
+#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index d6d6a9fc16..40de22d2b3 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
-ms.date: 04/17/2018
+ms.date: 03/27/2020
ms.reviewer:
manager: dansimp
---
@@ -39,6 +39,9 @@ Available naming macros:
Supported operation is Add.
+> [!Note]
+> For desktop PCs on the next major release of Windows 10 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md).
+
**Users**
Interior node for the user account information.
diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
index 1eae18e33a..79b168c90e 100644
--- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
+++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
@@ -45,7 +45,7 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
-7. In the Office 365 portal, select **Purchase Services** from the left nagivation.
+7. In the Microsoft 365 admin center, select **Purchase Services** from the left nagivation.
@@ -67,7 +67,7 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription.
-1. Sign in to the Office 365 portal at
CXH-HOST (HTTP HEADER)
-Senario
+Scenario
Background Theme
WinJS
Scenario CSS
@@ -343,14 +345,14 @@ The following claims are expected in the access token passed by Windows to the T
-
@@ -215,7 +212,7 @@ EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operat
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
- The possible values for 'xx' are:
+ The possible values for 'xx' are:
- 3 = AES-CBC 128
- 4 = AES-CBC 256
@@ -237,7 +234,7 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov
@@ -284,12 +281,12 @@ ADMX Info:
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
-This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.
+This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
> [!NOTE]
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
-If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
+If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
@@ -317,13 +314,13 @@ Data id:
-The possible values for 'yy' are:
+The possible values for 'yy' are:
@@ -408,18 +405,18 @@ Sample value for this node to enable this policy is:
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
```xml
-
@@ -556,18 +553,18 @@ ADMX Info:
This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
-The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
-In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
-Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
+Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
-Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-> [!Note]
-> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
+> [!NOTE]
+> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
@@ -579,34 +576,34 @@ Sample value for this node to enable this policy is:
@@ -653,19 +650,20 @@ ADMX Info:
This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
-The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
-In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
-Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
+Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
-Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
+Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
-> [!Note]
> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
+> [!NOTE]
+> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
@@ -677,13 +675,13 @@ Sample value for this node to enable this policy is:
-The possible values for 'yy' are:
+The possible values for 'yy' are:
-The possible values for 'zz' are:
+The possible values for 'zz' are:
@@ -769,18 +767,18 @@ Sample value for this node to enable this policy is:
If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:
```xml
-
@@ -829,11 +827,12 @@ This setting configures whether BitLocker protection is required for a computer
If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
-If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
+If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
-> [!Note]
> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
+> [!NOTE]
+> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
Sample value for this node to enable this policy is:
@@ -841,7 +840,7 @@ Sample value for this node to enable this policy is:
@@ -1084,12 +1083,33 @@ This node reports compliance state of device encryption on the system.
+Value type is int. Supported operation is Get.
+
Supported values:
- 0 - Indicates that the device is compliant.
-- Any other value represents a non-compliant device.
+- Any non-zero value - Indicates that the device is not compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table:
+
+| Bit | Error Code |
+|-----|------------|
+| 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.|
+| 1 |The encryption method of the OS volume doesn't match the BitLocker policy.|
+| 2 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.|
+| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.|
+| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.|
+| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.|
+| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.|
+| 7 |The OS volume is unprotected.|
+| 8 |Recovery key backup failed.|
+| 9 |A fixed drive is unprotected.|
+| 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.|
+| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.|
+| 12 |Windows Recovery Environment (WinRE) isn't configured.|
+| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
+| 14 |The TPM isn't ready for BitLocker.|
+| 15 |The network isn't available, which is required for recovery key backup. |
+| 16-31 |For future use.|
-Value type is int. Supported operation is Get.
@@ -1211,10 +1231,10 @@ The following example is provided to show proper format and should not be taken
March 9 2017
Deferred channel
Provide users with new features of Office only a few times a year.
October 10 2017
-Office 365 ProPlus
+Microsoft 365 Apps for enterprise
First release for Deferred channel
Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index 87c13cbc3e..ffcc4f3baa 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -313,7 +313,7 @@ The deep link used for connecting your device to work will always use the follow
> **Note** Deep links only work with Internet Explorer or Edge browsers.
When connecting to MDM using a deep link, the URI you should use is
-**ms-device-enrollment:?mode=mdm**
+**ms-device-enrollment:?mode=mdm**
**ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=
-
ADMX-backed policies in Policy CSP
+ADMX-backed policies in Policy CSP
@@ -709,6 +710,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
-
@@ -2562,6 +2565,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+ 
+
+Pro
+ 
3
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network security: Allow Local System to use computer identity for NTLM.
+
+When services connect to devices that are running versions of the Windows operating system earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will authenticate anonymously. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity.
+
+When a service connects with the device identity, signing and encryption are supported to provide data protection. (When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.)
+
+
+
+GP Info:
+- GP English name: *Network security: Allow Local System to use computer identity for NTLM*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+Valid values:
+- 0 - Disabled
+- 1 - Enabled (Allow Local System to use computer identity for NTLM.)
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
@@ -2385,6 +2458,74 @@ GP Info:
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network security: Minimum session security for NTLM SSP based (including secure RPC) clients.
+
+This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+- Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
+- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption.
+
+
+
+GP Info:
+- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index aefb521407..b96fcd749d 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Messaging
-description: Policy CSP - Messaging
+description: Enable, and disable, text message back up and restore as well as Messaging Everywhere by using the Policy CSP for messaging.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 8433af94b3..2d4e4b33d0 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Notifications
-description: Policy CSP - Notifications
+description: Block applications from using the network to send tile, badge, toast, and raw notifications for Policy CSP - Notifications.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index e5adaec521..f0f51bdb9f 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Power
-description: Policy CSP - Power
+description: Learn the ins and outs of various Policy CSP - Power settings, including SyncML, for Windows 10.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index ceef7004b4..3b7a445092 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -7,14 +7,15 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 03/12/2020
+ms.date: 04/07/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - RestrictedGroups
-
+> [!WARNING]
+> Some information in this article relates to prereleased products, which may be substantially modified before they are commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -74,12 +75,18 @@ manager: dansimp
-This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership.
+
+For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group and all other members will be removed.
> [!CAUTION]
-> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error:
+>
+> | Error Code | Symbolic Name | Error Description | Header |
+> |----------|----------|----------|----------|
+> | 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h |
-Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution.
+Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group and should be used with caution.
```xml
XML accepts group and member only by name.
Supports configuring the administrators group using the group name.
Expects member name to be in the account name format. |
+| Windows 10, version 1809
Windows 10, version 1903
Windows 10, version 1909 | Supports configuring any local group.
`
`
This is useful when you want to ensure a certain local group always has a well-known SID as member. |
+| The latest release of Windows 10 | Behaves as described in this topic.
Accepts name or SID for group and members and translates as appropriate. |
+
+
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 205d51bff6..83b2b4ee01 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -83,7 +83,7 @@ manager: dansimp
Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
> [!Note]
-> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.
+> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 52098ee14c..9949285fca 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -7,13 +7,16 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 10/04/2019
+ms.date: 02/10/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - Update
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
@@ -194,6 +197,9 @@ manager: dansimp
+
+**Update/TargetReleaseVersion**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
+
+
+ADMX Info:
+- GP English name: *Select the target Feature Update version*
+- GP name: *TargetReleaseVersion*
+- GP element: *TargetReleaseVersionId*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+Value type is a string containing Windows 10 version number. For example, 1809, 1903.
+
+
+
+
+
+
+
+
+
+
+
**Update/UpdateNotificationLevel**
@@ -4371,11 +4445,13 @@ ADMX Info:
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index c485382b9e..ef56c8dd9a 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -53,17 +53,17 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
- Grant an user right to multiple groups (Administrators, Authenticated Users) via SID
```
- *S-1-5-32-544*S-1-5-11
+ *S-1-5-32-544*S-1-5-11
```
- Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings
```
- *S-1-5-32-544Authenticated Users
+ *S-1-5-32-544Authenticated Users
```
- Grant an user right to multiple groups (Authenticated Users, Administrators) via strings
```
- Authenticated UsersAdministrators
+ Authenticated UsersAdministrators
```
- Empty input indicates that there are no users configured to have that user right
@@ -1260,6 +1260,11 @@ GP Info:
- GP English name: *Increase scheduling priority*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
+> [!Warning]
+> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
+>
+> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
+
diff --git a/windows/client-management/mdm/policy-csps-admx-backed.md b/windows/client-management/mdm/policy-csps-admx-backed.md
new file mode 100644
index 0000000000..f79f85154e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-admx-backed.md
@@ -0,0 +1,421 @@
+---
+title: ADMX-backed policy CSPs
+description: ADMX-backed policy CSPs
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 07/18/2019
+---
+
+# ADMX-backed policy CSPs
+
+> [!div class="op_single_selector"]
+>
+> - [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md)
+> - [ADMX-backed policy-CSPs](policy-csps-admx-backed.md)
+>
+
+- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
+- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
+- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
+- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
+- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup)
+- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts)
+- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux)
+- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver)
+- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions)
+- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions)
+- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload)
+- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode)
+- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal)
+- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser)
+- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1)
+- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2)
+- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
+- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
+- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
+- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
+- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
+- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
+- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
+- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot)
+- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval)
+- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries)
+- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode)
+- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache)
+- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist)
+- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist)
+- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation)
+- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism)
+- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms)
+- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
+- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
+- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
+- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
+- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
+- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
+- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
+- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
+- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
+- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
+- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
+- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
+- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
+- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
+- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
+- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
+- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
+- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
+- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
+- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
+- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
+- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting)
+- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification)
+- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata)
+- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay)
+- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior)
+- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog)
+- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog)
+- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog)
+- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer)
+- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption)
+- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
+- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
+- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
+- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
+- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
+- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
+- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
+- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
+- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
+- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
+- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
+- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
+- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
+- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
+- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate)
+- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate)
+- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate)
+- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
+- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
+- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
+- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
+- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
+- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
+- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
+- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
+- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
+- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
+- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
+- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
+- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
+- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
+- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
+- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
+- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
+- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
+- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
+- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
+- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
+- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
+- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
+- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
+- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
+- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
+- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
+- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
+- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
+- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
+- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
+- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
+- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
+- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
+- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
+- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
+- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
+- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
+- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains)
+- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites)
+- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths)
+- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
+- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
+- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
+- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
+- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
+- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
+- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
+- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
+- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
+- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
+- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
+- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer)
+- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
+- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
+- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
+- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
+- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
+- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
+- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
+- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
+- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads)
+- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites)
+- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
+- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
+- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
+- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
+- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
+- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads)
+- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
+- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
+- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
+- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets)
+- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
+- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions)
+- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets)
+- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
+- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
+- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
+- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
+- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
+- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
+- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
+- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
+- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
+- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
+- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
+- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
+- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
+- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
+- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
+- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
+- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
+- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
+- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
+- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
+- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer)
+- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
+- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
+- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
+- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
+- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
+- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
+- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
+- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
+- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
+- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
+- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
+- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
+- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
+- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads)
+- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
+- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
+- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
+- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
+- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
+- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
+- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation)
+- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize)
+- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes)
+- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers)
+- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel)
+- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel)
+- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon)
+- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver)
+- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server)
+- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection)
+- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications)
+- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication)
+- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery)
+- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
+- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
+- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
+- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
+- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
+- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
+- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
+- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
+- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
+- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
+- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
+- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
+- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
+- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
+- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance)
+- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance)
+- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely)
+- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel)
+- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection)
+- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
+- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
+- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
+- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
+- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
+- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
+- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
+- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
+- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
+- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
+- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
+- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
+- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
+- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
+- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
+- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
+- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
+- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
+- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
+- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
+- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
+- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
+- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
+- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
+- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
+- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
+- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
+- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
+- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
+- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
+- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
+- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
+- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
+- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
+- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
+- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
+- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
+- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-group-policy.md b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md
new file mode 100644
index 0000000000..328dfe2238
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md
@@ -0,0 +1,913 @@
+---
+title: Policy CSPs supported by Group Policy
+description: Policy CSPs supported by Group Policy
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 07/18/2019
+---
+
+# Policy CSPs supported by Group Policy
+
+> [!div class="op_single_selector"]
+>
+> - [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md)
+> - [ADMX-backed policy CSPs](policy-csps-admx-backed.md)
+>
+
+- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock)
+- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
+- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
+- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
+- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
+- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup)
+- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts)
+- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux)
+- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver)
+- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions)
+- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions)
+- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload)
+- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode)
+- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal)
+- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser)
+- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1)
+- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2)
+- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
+- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
+- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
+- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
+- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
+- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
+- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
+- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot)
+- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval)
+- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries)
+- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode)
+- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache)
+- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist)
+- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist)
+- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration)
+- [ApplicationDefaults/EnableAppUriHandlers](./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers)
+- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
+- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr)
+- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata)
+- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps)
+- [ApplicationManagement/MSIAllowUserControlOverInstall](./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall)
+- [ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges](./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges)
+- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly)
+- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume)
+- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume)
+- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation)
+- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism)
+- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms)
+- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice)
+- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
+- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
+- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
+- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime)
+- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime)
+- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate)
+- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority)
+- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority)
+- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout)
+- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown)
+- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill)
+- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies)
+- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools)
+- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack)
+- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions)
+- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash)
+- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun)
+- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode)
+- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate)
+- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist)
+- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager)
+- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups)
+- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch)
+- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting)
+- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory)
+- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization)
+- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions)
+- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen)
+- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading)
+- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage)
+- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary)
+- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit)
+- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines)
+- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar)
+- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton)
+- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode)
+- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout)
+- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith)
+- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics)
+- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages)
+- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry)
+- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist)
+- [Browser/HomePages](./policy-csp-browser.md#browser-homepages)
+- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites)
+- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge)
+- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides)
+- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage)
+- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection)
+- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride)
+- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles)
+- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc)
+- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites)
+- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer)
+- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine)
+- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl)
+- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl)
+- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer)
+- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge)
+- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton)
+- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks)
+- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera)
+- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata)
+- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps)
+- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps)
+- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps)
+- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
+- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming)
+- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking)
+- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
+- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
+- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests)
+- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
+- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
+- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
+- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
+- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
+- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
+- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
+- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
+- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
+- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning)
+- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring)
+- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection)
+- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning)
+- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
+- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
+- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection)
+- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection)
+- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring)
+- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles)
+- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess)
+- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions)
+- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules)
+- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor)
+- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan)
+- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel)
+- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout)
+- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications)
+- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders)
+- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware)
+- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan)
+- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan)
+- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess)
+- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority)
+- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection)
+- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions)
+- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths)
+- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses)
+- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection)
+- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter)
+- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime)
+- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday)
+- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime)
+- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder)
+- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources)
+- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval)
+- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent)
+- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
+- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayCacheServerFallbackBackground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
+- [DeliveryOptimization/DODelayCacheServerFallbackForeground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
+- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
+- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
+- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
+- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
+- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
+- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch)
+- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
+- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
+- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
+- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
+- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage)
+- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
+- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
+- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps)
+- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi)
+- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps)
+- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps)
+- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps)
+- [DmaGuard/DeviceEnumerationPolicy](./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy)
+- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters)
+- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
+- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting)
+- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification)
+- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata)
+- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay)
+- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior)
+- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog)
+- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog)
+- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog)
+- [Experience/AllowClipboardHistory](./policy-csp-experience.md#experience-allowclipboardhistory)
+- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana)
+- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice)
+- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata)
+- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight)
+- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures)
+- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight)
+- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter)
+- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings)
+- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience)
+- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips)
+- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen)
+- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications)
+- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting)
+- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing)
+- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
+- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings)
+- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer)
+- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption)
+- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked)
+- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
+- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
+- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
+- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
+- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
+- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
+- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
+- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
+- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
+- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
+- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
+- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
+- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
+- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
+- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate)
+- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate)
+- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate)
+- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
+- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
+- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
+- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
+- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
+- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
+- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
+- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
+- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
+- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
+- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
+- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
+- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
+- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
+- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
+- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
+- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
+- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
+- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
+- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
+- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
+- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
+- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
+- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
+- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
+- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
+- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
+- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
+- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
+- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
+- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
+- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
+- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
+- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
+- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
+- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
+- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
+- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
+- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains)
+- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites)
+- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths)
+- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
+- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
+- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
+- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
+- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
+- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
+- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
+- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
+- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
+- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
+- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
+- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer)
+- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
+- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
+- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
+- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
+- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
+- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
+- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
+- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
+- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads)
+- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites)
+- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
+- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
+- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
+- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
+- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
+- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads)
+- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
+- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
+- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
+- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets)
+- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
+- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions)
+- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets)
+- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
+- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
+- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
+- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
+- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
+- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
+- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
+- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
+- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
+- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
+- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
+- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
+- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
+- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
+- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
+- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
+- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
+- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
+- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
+- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
+- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer)
+- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
+- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
+- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
+- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
+- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
+- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
+- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
+- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
+- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
+- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
+- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
+- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
+- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
+- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads)
+- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
+- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
+- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
+- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
+- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
+- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
+- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation)
+- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize)
+- [LanmanWorkstation/EnableInsecureGuestLogons](./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons)
+- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation)
+- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation)
+- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts)
+- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly)
+- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount)
+- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount)
+- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon)
+- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia)
+- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
+- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly)
+- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways)
+- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible)
+- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon)
+- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
+- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
+- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)
+- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares)
+- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares)
+- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic)
+- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers)
+- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon)
+- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile)
+- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation)
+- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators)
+- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers)
+- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation)
+- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated)
+- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations)
+- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode)
+- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation)
+- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode)
+- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations)
+- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe)
+- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes)
+- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers)
+- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel)
+- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel)
+- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon)
+- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver)
+- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server)
+- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection)
+- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications)
+- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication)
+- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate)
+- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync)
+- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources)
+- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange)
+- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative)
+- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers)
+- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers)
+- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative)
+- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources)
+- [Notifications/DisallowCloudNotification](./policy-csp-notifications.md#notifications-disallowcloudnotification)
+- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring)
+- [Notifications/DisallowTileNotification](./policy-csp-notifications.md#notifications-disallowtilenotification)
+- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery)
+- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
+- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
+- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
+- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery)
+- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
+- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
+- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
+- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
+- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
+- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery)
+- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin)
+- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery)
+- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
+- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery)
+- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
+- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
+- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
+- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery)
+- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin)
+- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
+- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
+- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
+- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
+- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
+- [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard)
+- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization)
+- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid)
+- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience)
+- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed)
+- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo)
+- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps)
+- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps)
+- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps)
+- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar)
+- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps)
+- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps)
+- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps)
+- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory)
+- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps)
+- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps)
+- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps)
+- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera)
+- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps)
+- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps)
+- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps)
+- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts)
+- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps)
+- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps)
+- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps)
+- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail)
+- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps)
+- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps)
+- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps)
+- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation)
+- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps)
+- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps)
+- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps)
+- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging)
+- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps)
+- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps)
+- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps)
+- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone)
+- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps)
+- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps)
+- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps)
+- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion)
+- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps)
+- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps)
+- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps)
+- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications)
+- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps)
+- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps)
+- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps)
+- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone)
+- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps)
+- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps)
+- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps)
+- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios)
+- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps)
+- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps)
+- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps)
+- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks)
+- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps)
+- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps)
+- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps)
+- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices)
+- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps)
+- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps)
+- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps)
+- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices)
+- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps)
+- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps)
+- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps)
+- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities)
+- [Privacy/UploadUserActivities](./policy-csp-privacy.md#privacy-uploaduseractivities)
+- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
+- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
+- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance)
+- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance)
+- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely)
+- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel)
+- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection)
+- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
+- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
+- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
+- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
+- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
+- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
+- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
+- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
+- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
+- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
+- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
+- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
+- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
+- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
+- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
+- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
+- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
+- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
+- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
+- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
+- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
+- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
+- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
+- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
+- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
+- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
+- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
+- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch)
+- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad)
+- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles)
+- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems)
+- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation)
+- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics)
+- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection)
+- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff)
+- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing)
+- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults)
+- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb)
+- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries)
+- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready)
+- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
+- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips)
+- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar)
+- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist)
+- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol)
+- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell)
+- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell)
+- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate)
+- [Start/DisableContextMenus](./policy-csp-start.md#start-disablecontextmenus)
+- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar)
+- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps)
+- [Start/StartLayout](./policy-csp-start.md#start-startlayout)
+- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates)
+- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
+- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview)
+- [System/AllowCommercialDataPipeline](./policy-csp-system.md#system-allowcommercialdatapipeline)
+- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata)
+- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders)
+- [System/AllowLocation](./policy-csp-system.md#system-allowlocation)
+- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry)
+- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
+- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint)
+- [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification)
+- [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux)
+- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete)
+- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer)
+- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy)
+- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync)
+- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
+- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics)
+- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy)
+- [System/TurnOffFileHistory](./policy-csp-system.md#system-turnofffilehistory)
+- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode)
+- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode)
+- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode)
+- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode)
+- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode)
+- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode)
+- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall)
+- [TextInput/AllowLinguisticDataCollection](./policy-csp-textinput.md#textinput-allowlinguisticdatacollection)
+- [Troubleshooting/AllowRecommendations](./policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
+- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend)
+- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange)
+- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart)
+- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate)
+- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork)
+- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice)
+- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice)
+- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays)
+- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates)
+- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule)
+- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal)
+- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup)
+- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel)
+- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates)
+- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot)
+- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays)
+- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays)
+- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod)
+- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod)
+- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency)
+- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan)
+- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline)
+- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates)
+- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule)
+- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates)
+- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule)
+- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates)
+- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate)
+- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls)
+- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds)
+- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals)
+- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates)
+- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime)
+- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates)
+- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime)
+- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade)
+- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning)
+- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning)
+- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday)
+- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek)
+- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek)
+- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek)
+- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek)
+- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek)
+- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime)
+- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable)
+- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess)
+- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess)
+- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart)
+- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel)
+- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl)
+- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate)
+- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller)
+- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork)
+- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem)
+- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon)
+- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories)
+- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime)
+- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects)
+- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile)
+- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects)
+- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks)
+- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken)
+- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms)
+- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork)
+- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon)
+- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon)
+- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation)
+- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits)
+- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient)
+- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority)
+- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers)
+- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory)
+- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog)
+- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume)
+- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment)
+- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel)
+- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess)
+- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown)
+- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories)
+- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership)
+- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots)
+- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing)
+- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
+- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname)
+- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui)
+- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui)
+- [WindowsDefenderSecurityCenter/DisableClearTpmButton](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton)
+- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui)
+- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications)
+- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui)
+- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui)
+- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui)
+- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications)
+- [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning)
+- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui)
+- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride)
+- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email)
+- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts)
+- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization)
+- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery)
+- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot)
+- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting)
+- [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol)
+- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone)
+- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url)
+- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace)
+- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace)
+- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
+- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
+- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
+- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
+- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)
+- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
+- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching)
+- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
+- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
+- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md
new file mode 100644
index 0000000000..f77d3c1308
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md
@@ -0,0 +1,71 @@
+---
+title: Policy CSPs supported by HoloLens (1st gen) Commercial Suite
+description: Policy CSPs supported by HoloLens (1st gen) Commercial Suite
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 09/17/2019
+---
+
+# Policy CSPs supported by HoloLens (1st gen) Commercial Suite
+
+> [!div class="op_single_selector"]
+>
+> - [HoloLens 2](policy-csps-supported-by-hololens2.md)
+> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
+> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
+>
+
+- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection)
+- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
+- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect)
+- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname)
+- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename)
+- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill)
+- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies)
+- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack)
+- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager)
+- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen)
+- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth)
+- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection)
+- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword)
+- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword)
+- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired)
+- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled)
+- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory)
+- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts)
+- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock)
+- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters)
+- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
+- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
+- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization)
+- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
+- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
+- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
+- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
+- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
+- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
+- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
+- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
+- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade)
+- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval)
+- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
+- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
+- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
+- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md
new file mode 100644
index 0000000000..2dec2fdb8b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md
@@ -0,0 +1,69 @@
+---
+title: Policy CSPs supported by HoloLens (1st gen) Development Edition
+description: Policy CSPs supported by HoloLens (1st gen) Development Edition
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 07/18/2019
+---
+
+# Policy CSPs supported by HoloLens (1st gen) Development Edition
+
+> [!div class="op_single_selector"]
+>
+> - [HoloLens 2](policy-csps-supported-by-hololens2.md)
+> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
+> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
+>
+
+- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
+- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
+- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect)
+- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename)
+- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack)
+- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager)
+- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen)
+- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies)
+- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth)
+- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection)
+- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword)
+- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts)
+- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock)
+- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
+- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory)
+- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired)
+- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters)
+- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword)
+- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled)
+- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
+- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization)
+- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
+- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
+- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
+- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
+- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
+- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
+- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
+- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
+- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval)
+- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
+- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
+- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
+- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade)
+- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md
new file mode 100644
index 0000000000..5e31cf4abc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md
@@ -0,0 +1,111 @@
+---
+title: Policy CSPs supported by HoloLens 2
+description: Policy CSPs supported by HoloLens 2
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 05/11/2020
+---
+
+# Policy CSPs supported by HoloLens 2
+
+> [!div class="op_single_selector"]
+>
+> - [HoloLens 2](policy-csps-supported-by-hololens2.md)
+> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
+> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
+>
+
+- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection)
+- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
+- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect)
+- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname)
+- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename)
+- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill)
+- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies)
+- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack)
+- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager)
+- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen)
+- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth)
+- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection)
+- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword)
+- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword)
+- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired)
+- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled)
+- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration)
+- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory)
+- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts)
+- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock)
+- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters)
+- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
+- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
+- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
+- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization)
+- [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo)
+- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps)
+- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps)
+- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps)
+- [Privacy/LetAppsAccessBackgroundSpatialPerception](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception)
+- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps)
+- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps)
+- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps)
+- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) 8
+- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) 8
+- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) 8
+- [Privacy/LetAppsAccessGazeInput](policy-csp-privacy.md#privacy-letappsaccessgazeinput) 8
+- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forceallowtheseapps) 8
+- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forcedenytheseapps) 8
+- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-userincontroloftheseapps) 8
+- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#privacy-letappsaccesscamera)
+- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#privacy-letappsaccesslocation)
+- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#privacy-letappsaccessmicrophone)
+- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) 8
+- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) 8
+- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) 8
+- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
+- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
+- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
+- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
+- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
+- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
+- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
+- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
+- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
+- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
+- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel)
+- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays)
+- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays)
+- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds)
+- [Update/PauseFeatureUpdates](policy-csp-update.md#update-pausefeatureupdates)
+- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates)
+- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
+- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
+- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
+- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
+- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) 8
+
+Footnotes:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
+- 7 - Added in Windows 10, version 1909.
+- 8 - Added in the next major release of Windows 10.
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-core.md b/windows/client-management/mdm/policy-csps-supported-by-iot-core.md
new file mode 100644
index 0000000000..c37cdb1b86
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-iot-core.md
@@ -0,0 +1,74 @@
+---
+title: Policy CSPs supported by Windows 10 IoT Core
+description: Policy CSPs supported by Windows 10 IoT Core
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 09/16/2019
+---
+
+# Policy CSPs supported by Windows 10 IoT Core
+
+> [!div class="op_single_selector"]
+>
+> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
+> - [IoT Core](policy-csps-supported-by-iot-core.md)
+>
+
+- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera)
+- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
+- [CredentialProviders/AllowPINLogon](policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
+- [CredentialProviders/BlockPicturePassword](policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
+- [DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md#dataprotection-allowdirectmemoryaccess)
+- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
+- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
+- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
+- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
+- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
+- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
+- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
+- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
+- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
+- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
+- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
+- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
+- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
+- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
+- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
+- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
+- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot)
+- [Wifi/AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots)
+- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing)
+- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi)
+- [Wifi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md
new file mode 100644
index 0000000000..f0837806da
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md
@@ -0,0 +1,69 @@
+---
+title: Policy CSPs supported by Windows 10 IoT Enterprise
+description: Policy CSPs supported by Windows 10 IoT Enterprise
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 07/18/2019
+---
+
+# Policy CSPs supported by Windows 10 IoT Enterprise
+
+> [!div class="op_single_selector"]
+>
+> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
+> - [IoT Core](policy-csps-supported-by-iot-core.md)
+>
+
+- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
+- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
+- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
+- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
+- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
+- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
+- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
+- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
+- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
+- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
+- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
+- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
+- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
+- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
+- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
+- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
+- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
+- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
+- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
+- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
+- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
+- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md
new file mode 100644
index 0000000000..ec48042286
--- /dev/null
+++ b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md
@@ -0,0 +1,79 @@
+---
+title: Policy CSPs supported by Microsoft Surface Hub
+description: Policy CSPs supported by Microsoft Surface Hub
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 07/18/2019
+---
+
+# Policy CSPs supported by Microsoft Surface Hub
+
+- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera)
+- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
+- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
+- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites)
+- [Defender/AllowArchiveScanning](policy-csp-defender.md#defender-allowarchivescanning)
+- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#defender-allowbehaviormonitoring)
+- [Defender/AllowCloudProtection](policy-csp-defender.md#defender-allowcloudprotection)
+- [Defender/AllowEmailScanning](policy-csp-defender.md#defender-allowemailscanning)
+- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
+- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
+- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection)
+- [Defender/AllowIntrusionPreventionSystem](policy-csp-defender.md#defender-allowintrusionpreventionsystem)
+- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection)
+- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring)
+- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles)
+- [Defender/AllowScriptScanning](policy-csp-defender.md#defender-allowscriptscanning)
+- [Defender/AllowUserUIAccess](policy-csp-defender.md#defender-allowuseruiaccess)
+- [Defender/AvgCPULoadFactor](policy-csp-defender.md#defender-avgcpuloadfactor)
+- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#defender-daystoretaincleanedmalware)
+- [Defender/ExcludedExtensions](policy-csp-defender.md#defender-excludedextensions)
+- [Defender/ExcludedPaths](policy-csp-defender.md#defender-excludedpaths)
+- [Defender/ExcludedProcesses](policy-csp-defender.md#defender-excludedprocesses)
+- [Defender/PUAProtection](policy-csp-defender.md#defender-puaprotection)
+- [Defender/RealTimeScanDirection](policy-csp-defender.md#defender-realtimescandirection)
+- [Defender/ScanParameter](policy-csp-defender.md#defender-scanparameter)
+- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#defender-schedulequickscantime)
+- [Defender/ScheduleScanDay](policy-csp-defender.md#defender-schedulescanday)
+- [Defender/ScheduleScanTime](policy-csp-defender.md#defender-schedulescantime)
+- [Defender/SignatureUpdateInterval](policy-csp-defender.md#defender-signatureupdateinterval)
+- [Defender/SubmitSamplesConsent](policy-csp-defender.md#defender-submitsamplesconsent)
+- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#defender-threatseveritydefaultaction)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
+- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
+- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)
+- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#textinput-allowjapaneseimesurrogatepaircharacters)
+- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#textinput-allowjapaneseivscharacters)
+- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#textinput-allowjapanesenonpublishingstandardglyph)
+- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#textinput-allowjapaneseuserdictionary)
+- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc)
+- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis)
+- [WiFi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting)
+
+## Related topics
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policies-that-can-be-set-using-eas.md b/windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md
similarity index 89%
rename from windows/client-management/mdm/policies-that-can-be-set-using-eas.md
rename to windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md
index 3c0303c2c0..171652aa2b 100644
--- a/windows/client-management/mdm/policies-that-can-be-set-using-eas.md
+++ b/windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md
@@ -1,6 +1,6 @@
---
-title: Policies that can be set using Exchange Active Sync (EAS)
-description: Policies that can be set using Exchange Active Sync (EAS)
+title: Policy CSPs that can be set using Exchange Active Sync (EAS)
+description: Policy CSPs that can be set using Exchange Active Sync (EAS)
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
ms.date: 07/18/2019
---
-# Policies that can be set using Exchange Active Sync (EAS)
+# Policy CSPs that can be set using Exchange Active Sync (EAS)
- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera)
- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
@@ -36,4 +36,5 @@ ms.date: 07/18/2019
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi)
## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
+
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index 5e0bc0b2d9..48baff3fe8 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -1,6 +1,6 @@
---
title: PXLOGICAL configuration service provider
-description: PXLOGICAL configuration service provider
+description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques.
ms.assetid: b5fc84d4-aa32-4edd-95f1-a6a9c0feb459
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index 70668fa9de..e7cb92b9c4 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -45,12 +45,16 @@ Setting a null (empty) date will delete the existing schedule. In accordance wit
+
-
+
- Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see **How is my data processed by Cortana** below. |
+|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn’t required. |
+|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word (“Cortana”) for hands-free activation or voice commands to easily ask for help. |
## Signing in using Azure AD
-Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx)
-## Cortana and privacy
-We understand that there are some questions about Cortana and your organization’s privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](https://windows.microsoft.com/windows-10/cortana-privacy-faq) topic.
+Your organization must have an Azure AD tenant and your employees' devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but will not be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](https://docs.microsoft.com/azure/active-directory/)
+
+## How is my data processed by Cortana?
+
+Cortana's approach to integration with Microsoft 365 has changed with Windows 10, version 2004 and later.
+
+### Cortana in Windows 10, version 2004 and later
+
+Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). For more information, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
+
+#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
+
+The table below describes the data handling for Cortana enterprise services.
+
+
+|**Name** |**Description** |
+|---------|---------|
+|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio is not retained. |
+|**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. |
+|**Retention** |Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. Speech audio is not retained. |
+|**Processing and confidentiality** |Personnel engaged in the processing of Customer Data and personal data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. |
+|**Usage** |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud consistent with the Online Services Terms. Your data is not used to target advertising. |
+
+#### How does the wake word (Cortana) work? If I enable it, is Cortana always listening?
+
+Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected.
+
+First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](https://docs.microsoft.com/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard.
+
+The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
+
+:::image type="content" source="images/screenshot2.png" alt-text="Microphone icon in the system tray indicating an assistant app is listening":::
+
+At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.
+
+If all three wake word detectors agree, the Cortana canvas will show what speech has been recognized.
+
+### Cortana in Windows 10, versions 1909 and earlier
+
+Cortana in Windows 10, versions 1909 and earlier, isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana in Windows 10, version 1909 and earlier, treats your data](https://go.microsoft.com/fwlink/p/?LinkId=536419).
Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement).
## See also
+
- [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818)
-
-- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10)
-
-- [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 0122fb2eb7..1729809a44 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -13,34 +13,40 @@ manager: dansimp
---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
-**Applies to:**
-
-- Windows 10
-- Windows 10 Mobile
>[!NOTE]
->For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=717381).
-
-|Group policy |MDM policy |Description |
-|-------------|-----------|------------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
This setting only applies to Windows 10 for desktop devices. |
-|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled).|
-|None|System/AllowLocation|Specifies whether to allow app access to the Location service.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled).|
-|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. |
-|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.
This setting can’t be managed.
Cortana won't work if this setting is turned off (disabled).|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|
-
-
-
-
-
-
-
-
-
-
+>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics.
+|**Group policy** |**MDM policy** |**Description** |
+|---------|---------|---------|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.
+> [!IMPORTANT]
+> Cortana won’t work if this setting is turned off (disabled). However, on Windows 10, version 1809 and below, employees can still perform local searches even with Cortana turned off. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
+> [!NOTE]
+> Cortana in Windows 10, versions 2004 and later do not currently support Above Lock. |
+|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”).
+> [!NOTE]
+> This setting only applies to Windows 10 versions 2004 and later. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. |
+|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortana’s access to the microphone. To do so, specify Cortana’s Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe
+Users will still be able to type queries to Cortana. |
+|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in your organization.
+**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
**In Windows 10, version 2004 and later**
Cortana will work, but voice input will be disabled. |
+|None |System/AllowLocation |Specifies whether to allow app access to the Location service.
+**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
+**In Windows 10, version 1607 and later**
+Cortana still works if this setting is turned off (disabled).
+**In Windows 10, version 2004 and later**
+Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later do not currently use the Location service. |
+|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
+Disable this setting if you only want to allow users to sign in with their Azure AD account. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders.
+**In Windows 10, version 2004 and later**
Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, do not currently use the Location service. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |Search/DoNotUseWebResults |Specifies whether search can perform queries on the web and if the web results are displayed in search.
+**In Windows 10 Pro edition**
This setting can’t be managed.
+**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled).
+**In Windows 10, version 2004 and later**
This setting no longer affects Cortana. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.
+> [!NOTE]
+> This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. |
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index 1239cdfc7a..6bf6aaf7bd 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -13,10 +13,6 @@ manager: dansimp
---
# Set up and test Cortana for Power BI in your organization
-**Applies to:**
-
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
>[!IMPORTANT]
>Cortana for Power BI is deprecated and will not be available in future releases. This topic is provided as a reference for previous versions only.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index a7b6e72c12..642a124de8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -12,49 +12,21 @@ ms.reviewer:
manager: dansimp
---
-# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook
+# Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
+1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account.
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+2. Select the "…" menu and select **Talking to Cortana**.
-This scenario turns on Azure AD and let's your employee use Cortana to manage an entry in the notebook.
+3. Toggle **Wake word** to **On** and close Cortana.
-## Turn on Azure AD
-This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account.
+4. Say **Cortana, what can you do?**.
-1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, and then click **About Me**.
+When you say "Cortana", Cortana will open in listening mode to acknowledge the wake word.
-2. Click your email address.
+:::image type="content" source="../../../images/screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
- A dialog box appears, showing the associated account info.
+Once you finish saying your query, Cortana will open with the result.
-3. Click your email address again, and then click **Sign out**.
-
- This signs out the Microsoft account, letting you continue to add and use the Azure AD account.
-
-4. Click the **Search** box and then the **Notebook** icon in the left rail. This will start the sign-in request.
-
-5. Click **Sign-In** and follow the instructions.
-
-6. When you’re asked to sign in, you’ll need to choose an Azure AD account, which will look like kelliecarlson@contoso.com.
-
- >[!IMPORTANT]
- >If there’s no Azure AD account listed, you’ll need to go to **Windows Settings > Accounts > Email & app accounts**, and then click **Add a work or school account** to add it.
-
-## Use Cortana to manage the notebook content
-This process helps you to manage the content Cortana shows in your Notebook.
-
-1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, scroll down and click **Weather**.
-
-2. In the **Weather** settings, scroll down to the **Cities your tracking** area, and then click **Add a city**.
-
-3. Add *Redmond, Washington*, double-click the search result, click **Add**, and then click **Save**.
-
- 
-
-4. Click on the **Home** icon and scroll to the weather forecast for Redmond, Washington.
-
- 
+>[!NOTE]
+>If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button.
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index c58d165771..55a3d754d6 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -12,32 +12,15 @@ ms.reviewer:
manager: dansimp
---
-# Test scenario 2 - Perform a quick search with Cortana at work
+# Test scenario 2 – Perform a Bing search with Cortana
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
+1. Select the **Cortana** icon in the taskbar.
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+2. Type **What time is it in Hyderabad?**.
-This scenario helps you perform a quick search using Cortana, both by typing and through voice commands.
+Cortana will respond with the information from Bing.
-## Search using Cortana
-This process helps you use Cortana at work to perform a quick search.
+:::image type="content" source="../../../images/screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad":::
-1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
-2. Type *Weather in New York*.
-
- You should see the weather in New York, New York at the top of the search results.
-
- 
-
-## Search with Cortana, by using voice commands
-This process helps you to use Cortana at work and voice commands to perform a quick search.
-
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
-
-2. Say *What's the weather in Chicago?* Cortana tells you and shows you the current weather in Chicago.
-
- 
+>[!NOTE]
+>This scenario requires Bing Answers to be enabled. For more information, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature).
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index d072cdb5fa..333199a0a5 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -12,77 +12,15 @@ ms.reviewer:
manager: dansimp
---
-# Test scenario 3 - Set a reminder for a specific location using Cortana at work
+# Test scenario 3 - Set a reminder
-- Windows 10, version 1703
-- Windows 10 Mobile, version 1703
+This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting.
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
+1. Select the **Cortana** icon in the taskbar and type _Remind me to send a link to the deck at 3:05pm_ and press **Enter**.
-This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house.
+Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time.
->[!NOTE]
->You can set each reminder location individually as you create the reminders, or you can go into the **About me** screen and add both **Work** and **Home** addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario.
- <LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+ <LayoutModificationTemplate Version="1" xmlns="https://schemas.microsoft.com/Start/2014/LayoutModification">
<DefaultLayoutOverride>
<StartLayoutCollection>
- <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
- <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
+ <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="https://schemas.microsoft.com/Start/2014/FullDefaultLayout">
+ <start:Group Name="Life at a glance" xmlns:start="https://schemas.microsoft.com/Start/2014/StartLayout">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
<start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
diff --git a/windows/configuration/images/sccm-asset.PNG b/windows/configuration/images/configmgr-asset.PNG
similarity index 100%
rename from windows/configuration/images/sccm-asset.PNG
rename to windows/configuration/images/configmgr-asset.PNG
diff --git a/windows/configuration/images/sccm-assets.PNG b/windows/configuration/images/configmgr-assets.PNG
similarity index 100%
rename from windows/configuration/images/sccm-assets.PNG
rename to windows/configuration/images/configmgr-assets.PNG
diff --git a/windows/configuration/images/sccm-client.PNG b/windows/configuration/images/configmgr-client.PNG
similarity index 100%
rename from windows/configuration/images/sccm-client.PNG
rename to windows/configuration/images/configmgr-client.PNG
diff --git a/windows/configuration/images/sccm-collection.PNG b/windows/configuration/images/configmgr-collection.PNG
similarity index 100%
rename from windows/configuration/images/sccm-collection.PNG
rename to windows/configuration/images/configmgr-collection.PNG
diff --git a/windows/configuration/images/sccm-install-os.PNG b/windows/configuration/images/configmgr-install-os.PNG
similarity index 100%
rename from windows/configuration/images/sccm-install-os.PNG
rename to windows/configuration/images/configmgr-install-os.PNG
diff --git a/windows/configuration/images/sccm-post-refresh.PNG b/windows/configuration/images/configmgr-post-refresh.PNG
similarity index 100%
rename from windows/configuration/images/sccm-post-refresh.PNG
rename to windows/configuration/images/configmgr-post-refresh.PNG
diff --git a/windows/configuration/images/sccm-pxe.PNG b/windows/configuration/images/configmgr-pxe.PNG
similarity index 100%
rename from windows/configuration/images/sccm-pxe.PNG
rename to windows/configuration/images/configmgr-pxe.PNG
diff --git a/windows/configuration/images/sccm-site.PNG b/windows/configuration/images/configmgr-site.PNG
similarity index 100%
rename from windows/configuration/images/sccm-site.PNG
rename to windows/configuration/images/configmgr-site.PNG
diff --git a/windows/configuration/images/sccm-software-cntr.PNG b/windows/configuration/images/configmgr-software-cntr.PNG
similarity index 100%
rename from windows/configuration/images/sccm-software-cntr.PNG
rename to windows/configuration/images/configmgr-software-cntr.PNG
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index ca42852107..6d72ff398f 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -1,6 +1,6 @@
---
title: Configure Windows 10 (Windows 10)
-description: Learn about configuring Windows 10.
+description: Apply custom accessibility configurations to devices for their users using the all the features and methods available with Windows 10.
keywords: Windows 10, MDM, WSUS, Windows update
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index a523b64e83..0f99ece694 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -40,7 +40,6 @@ Remove access to the context menus for the task bar | Enabled
Clear history of recently opened documents on exit | Enabled
Prevent users from customizing their Start Screen | Enabled
Prevent users from uninstalling applications from Start | Enabled
-Remove All Programs list from the Start menu | Enabled
Remove Run menu from Start Menu | Enabled
Disable showing balloon notifications as toast | Enabled
Do not allow pinning items in Jump Lists | Enabled
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index 327042ee5c..43317581df 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -20,10 +20,7 @@ ms.topic: article
**Applies to**
- Windows 10 Ent, Edu
->[!WARNING]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, version 1809 and earlier, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in the next feature update to Windows 10, you can also specify a UWP app as the replacement shell.
+Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update.
>[!NOTE]
>Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components.
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index c9d6d3b2c0..f09e5ee991 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -1,6 +1,6 @@
---
title: Assigned Access configuration kiosk XML reference (Windows 10)
-description: XML and XSD for kiosk device configuration.
+description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index b69a8c78e1..3de98a5454 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -27,7 +27,7 @@ In Windows 10, version 1703, you can install multiple Universal Windows Platform
When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
>[!IMPORTANT]
->If you plan to use Intune to manage your devices, we recommend using Intune to install Office 365 ProPlus 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Client, and Visio Pro for Office 365 ProPlus). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Office 365 ProPlus 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365)
+>If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Client, and Visio Pro for Microsoft 365 Apps for enterprise). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Microsoft 365 Apps for enterprise 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365)
## Settings for UWP apps
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index 0f0d1cd783..e665d37ba5 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -78,14 +78,14 @@ You can also use Group Policy to manage access to Microsoft Store.
1. Type gpedit in the search bar to find and start Group Policy Editor.
-2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates** , click **Windows Components**, and then click **Store**.
+2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, and then click **Store**.
-3. In the Setting pane, click **Turn off Store application**, and then click **Edit policy setting**.
+3. In the Setting pane, click **Turn off the Store application**, and then click **Edit policy setting**.
-4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**.
+4. On the **Turn off the Store application** setting page, click **Enabled**, and then click **OK**.
> [!Important]
-> Enabling **Turn off Store application** policy turns off app updates from Microsoft Store.
+> Enabling **Turn off the Store application** policy turns off app updates from Microsoft Store.
## Block Microsoft Store using management tool
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index 2a219ab6bc..f9fb4b255a 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -70,9 +70,9 @@ The XML declaration must specify the XML version 1.0 attribute (<?xml version
**Type: String**
-UE-V uses the http://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
+UE-V uses the https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
-`
## The Modern Desktop Deployment Center
-The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus.
+The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Microsoft 365 Apps for enterprise.
## Microsoft 365
@@ -49,7 +49,7 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic
## Windows 10 servicing and support
-- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
+- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
@@ -58,7 +58,7 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic
- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
-Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below.
+Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below.
diff --git a/windows/deployment/deploy-windows-sccm/TOC.md b/windows/deployment/deploy-windows-cm/TOC.md
similarity index 65%
rename from windows/deployment/deploy-windows-sccm/TOC.md
rename to windows/deployment/deploy-windows-cm/TOC.md
index 93aadaebcd..b26445c4ab 100644
--- a/windows/deployment/deploy-windows-sccm/TOC.md
+++ b/windows/deployment/deploy-windows-cm/TOC.md
@@ -1,15 +1,15 @@
-# Deploy Windows 10 with Configuration Manager
-## [Configuration Manager components](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-### [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+# Deploy Windows 10 with Microsoft Endpoint Configuration Manager
+## Prepare for Windows 10 deployment with Configuration Manager
+### [Prepare for Zero Touch Installation with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-### [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+### [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+
+## Deploy Windows 10 with Configuration Manager
### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-### [Perform an in-place upgrade to Windows 10 using Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
\ No newline at end of file
+### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
similarity index 50%
rename from windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
rename to windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 9fdf3cf07d..1fd47c5505 100644
--- a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -17,60 +17,54 @@ ms.topic: article
# Add a Windows 10 operating system image using Configuration Manager
-
**Applies to**
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+- Windows 10
Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft Endpoint Configuration Manager, and how to distribute the image to a distribution point.
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+## Infrastructure
-1. Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
-2. Copy the REFW10-X64-001.wim file to the **E:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
- 
+>[!IMPORTANT]
+>The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below.
- Figure 17. The Windows 10 image copied to the Sources folder structure.
+ ## Add a Windows 10 operating system image
+
+ On **CM01**:
+
+1. Using File Explorer, in the **D:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
+2. Copy the REFW10-X64-001.wim file to the **D:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
+
+ 
+
+ The Windows 10 image being copied to the Sources folder structure.
3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
-
-4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim and click **Next**.
-
-5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM and click **Next** twice, and then click **Close**.
-
-6. Distribute the operating system image to the CM01 distribution point by right-clicking the Windows 10 Enterprise x64 RTM operating system image and selecting **Distribute Content**.
-
-7. In the Distribute Content Wizard, add the CM01 distribution point.
-
-8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed. You also can review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim, select x64 next to Architecture and choose a language, then click **Next**.
+5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, click **Next** twice, and then click **Close**.
+6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**.
+7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
+8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
- Figure 18. The distributed Windows 10 Enterprise x64 RTM package.
+ The distributed Windows 10 Enterprise x64 RTM package.
+
+Next, see [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md).
## Related topics
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
new file mode 100644
index 0000000000..e8896d30de
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -0,0 +1,110 @@
+---
+title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10)
+description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers.
+ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, task sequence
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+## Add drivers for Windows PE
+
+This section will show you how to import some network and storage drivers for Windows PE.
+
+>[!NOTE]
+>Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you have an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure.
+
+This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
+
+
+
+Driver folder structure on CM01
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
+2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**.
+3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**.
+4. On the **Select the packages to add the imported driver** page, click **Next**.
+5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image and click **Next**.
+6. In the popup window that appears, click **Yes** to automatically update the distribution point.
+7. Click **Next**, wait for the image to be updated, and then click **Close**.
+
+ 
+ 
+ 
+ 
+
+ Add drivers to Windows PE
+
+## Add drivers for Windows 10
+
+This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545).
+
+For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01.
+
+
+
+Driver folder structure on CM01
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
+2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder and click **Next**. Wait a minute for driver information to be validated.
+3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **Windows 10 x64 - HP EliteBook 8560w**, click **OK**, and then click **Next**.
+
+ 
+
+ Create driver categories
+
+
+4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
+
+ * Name: Windows 10 x64 - HP EliteBook 8560w
+ * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w
+
+ >[!NOTE]
+ >The package path does not yet exist, so you have to type it in. The wizard will create the new package using the path you specify.
+
+5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
+
+ >[!NOTE]
+ >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
+
+ 
+
+ Drivers imported and a new driver package created
+
+Next, see [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
new file mode 100644
index 0000000000..5ff94676d8
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -0,0 +1,100 @@
+---
+title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
+description: In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
+ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: tool, customize, deploy, boot image
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create a custom Windows PE boot image with Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
+- The boot image that is created is based on the version of ADK that is installed.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+## Add DaRT 10 files and prepare to brand the boot image
+
+The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you do not wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image.
+
+We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp.
+
+On **CM01**:
+
+1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT100.msi) using the default settings.
+2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
+3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder.
+4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder.
+5. Using File Explorer, navigate to the **C:\\Setup** folder.
+6. Copy the **Branding** folder to **D:\\Sources\\OSD**.
+
+## Create a boot image for Configuration Manager using the MDT wizard
+
+By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard.
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
+2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
+
+ >[!NOTE]
+ >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
+
+3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
+4. On the **Options** page, select the **x64** platform, and click **Next**.
+5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and click **Next**.
+
+ 
+
+ Add the DaRT component to the Configuration Manager boot image.
+
+ >Note: Another common component to add here is Windows PowerShell to enable PowerShell support within Windows PE.
+
+6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then click **Next** twice. Wait a few minutes while the boot image is generated, and then click **Finish**.
+7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
+8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
+9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples:
+
+ 
+ 
+
+ Content status for the Zero Touch WinPE x64 boot image
+
+10. Using the Configuration Manager Console, in the Software Library workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
+11. On the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**.
+12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**.
+13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below:
+
+ 
+ 
+
+>Note: Depending on your infrastructure and the number of packages and boot images present, the Image ID might be a different number than PS100009.
+
+Next, see [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
new file mode 100644
index 0000000000..7f539c965d
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -0,0 +1,144 @@
+---
+title: Create a task sequence with Configuration Manager (Windows 10)
+description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
+ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, upgrade, task sequence, install
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.pagetype: mdt
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create a task sequence with Configuration Manager and MDT
+
+**Applies to**
+
+- Windows 10
+
+In this article, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly.
+
+## Create a task sequence using the MDT Integration Wizard
+
+This section walks you through the process of creating a Configuration Manager task sequence for production use.
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
+2. On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**.
+3. On the **General** page, assign the following settings and then click **Next**:
+ * Task sequence name: Windows 10 Enterprise x64 RTM
+ * Task sequence comments: Production image with Office 365 Pro Plus x64
+4. On the **Details** page, assign the following settings and then click **Next**:
+ * Join a Domain
+ * Domain: contoso.com
+ * Account: contoso\\CM\_JD
+ * Password: pass@word1
+ * Windows Settings
+ * User name: Contoso
+ * Organization name: Contoso
+ * Product key: <blank>
+
+5. On the **Capture Settings** page, accept the default settings, and click **Next**.
+6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
+7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**.
+8. On the **MDT Details** page, assign the name **MDT** and click **Next**.
+9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
+10. On the **Deployment Method** page, accept the default settings (Zero Touch installation) and click **Next**.
+11. On the **Client Package** page, browse and select the **Microsoft Corporation Configuration Manager Client Package** and click **Next**.
+12. On the **USMT Package** page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package and click **Next**.
+13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings** and click **Next**.
+14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**.
+15. On the **Sysprep Package** page, click **Next** twice.
+16. On the **Confirmation** page, click **Finish**.
+
+## Edit the task sequence
+
+After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more.
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and click **Edit**.
+2. In the **Install** group (about halfway down), select the **Set Variable for Drive Letter** action and configure the following:
+ * OSDPreserveDriveLetter: True
+
+ >[!NOTE]
+ >If you don't change this value, your Windows installation will end up in D:\\Windows.
+
+3. In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values).
+4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
+5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
+6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
+ * Name: HP EliteBook 8560w
+ * Driver Package: Windows 10 x64 - HP EliteBook 8560w
+ * Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w
+
+ >[!NOTE]
+ >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
+
+ 
+
+ The driver package options
+
+7. In the **State Restore / Install Applications** group, select the **Install Application** action.
+8. Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list.
+
+ 
+
+ Add an application to the Configuration Manager task sequence
+
+ >[!NOTE]
+ >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There is also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release.
+
+9. In the **State Restore** group, after the **Set Status 5** action, verify there is a **User State \ Request State Store** action with the following settings:
+ * Request state storage location to: Restore state from another computer
+ * If computer account fails to connect to state store, use the Network Access account: selected
+ * Options: Continue on error
+ * Options / Add Condition:
+ * Task Sequence Variable
+ * USMTLOCAL not equals True
+
+10. In the **State Restore** group, after the **Restore User State** action, verify there is a **Release State Store** action with the following settings:
+ * Options: Continue on error
+ * Options / Condition:
+ * Task Sequence Variable
+ * USMTLOCAL not equals True
+
+11. Click **OK**.
+
+## Organize your packages (optional)
+
+If desired, you can create a folder structure for packages. This is purely for organizational purposes and is useful if you need to manage a large number of packages.
+
+To create a folder for packages:
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
+2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This will create the Root \ OSD folder structure.
+3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**.
+4. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
+
+Next, see [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..7e1c6b9819
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,86 @@
+---
+title: Create an app to deploy with Windows 10 using Configuration Manager
+description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
+ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deployment, task sequence, custom, customize
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create an application to deploy with Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+- Windows 10
+
+Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+>[!NOTE]
+>The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image.
+
+## Example: Create the Adobe Reader application
+
+On **CM01**:
+
+1. Create the **D:\Setup** folder if it does not already exist.
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader.
+2. Extract the .exe file that you downloaded to an .msi. The source folder will differ depending on where you downloaded the file. See the following example:
+
+ ```powershell
+ Set-Location C:\Users\administrator.CONTOSO\Downloads
+ .\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne
+ ```
+ >Note: the extraction process will create the "Adobe" folder
+
+3. Using File Explorer, copy the **D:\\Setup\\Adobe** folder to the **D:\\Sources\\Software\\Adobe** folder.
+4. In the Configuration Manager Console, in the Software Library workspace, expand **Application Management**.
+5. Right-click **Applications**, point to **Folder** and then click **Create Folder**. Assign the name **OSD**.
+6. Right-click the **OSD** folder, and click **Create Application**.
+7. In the Create Application Wizard, on the **General** page, use the following settings:
+
+ * Automatically detect information about this application from installation files
+ * Type: Windows Installer (\*.msi file)
+ * Location: \\\\CM01\\Sources$\\Software\\Adobe\\AcroRead.msi
+
+ 
+
+ The Create Application Wizard
+
+8. Click **Next**, and wait while Configuration Manager parses the MSI file.
+9. On the **Import Information** page, review the information and then click **Next**.
+10. On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, click **Next** twice, and then click **Close**.
+
+ >[!NOTE]
+ >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
+
+ 
+
+ Add the "OSD Install" suffix to the application name
+
+11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this is another place to view properties, you can also right-click and select properties).
+12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**.
+
+Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
new file mode 100644
index 0000000000..a5ea3f78c2
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -0,0 +1,102 @@
+---
+title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
+description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences.
+ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deployment, image, UEFI, task sequence
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 using PXE and Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic.
+
+This topic assumes that you have completed the following prerequisite procedures:
+- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+- [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+
+For the purposes of this guide, we will use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001).
+- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+ - CM01 is also running WDS which will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS.
+- PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network.
+
+>[!NOTE]
+>If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+>[!NOTE]
+>No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console.
+
+## Procedures
+
+1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
+2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass@word1** and click **Next**.
+3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
+4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
+5. The operating system deployment will take several minutes to complete.
+6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following:
+
+ * Install the Windows 10 operating system.
+ * Install the Configuration Manager client and the client hotfix.
+ * Join the computer to the domain.
+ * Install the application added to the task sequence.
+
+ >[!NOTE]
+ >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
+
+ 
+
+ Monitoring the deployment with MDT.
+
+7. When the deployment is finished you will have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus.
+
+Examples are provided below of various stages of deployment:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
new file mode 100644
index 0000000000..b3c301d048
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -0,0 +1,167 @@
+---
+title: Finalize operating system configuration for Windows 10 deployment
+description: Follow this walk-through to finalize the configuration of your Windows 10 operating deployment.
+ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: configure, deploy, upgrade
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Finalize the operating system configuration for Windows 10 deployment with Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence.
+
+For the purposes of this guide, we will use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+ An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+## Enable MDT monitoring
+
+This section will walk you through the process of creating the D:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager.
+
+On **CM01**:
+
+1. Open the Deployment Workbench, right-click **Deployment Shares** and click **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
+
+ * Deployment share path: D:\\MDTProduction
+ * Share name: MDTProduction$
+ * Deployment share description: MDT Production
+ * Options: <default settings>
+
+2. Right-click the **MDT Production** deployment share, and click **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
+
+ 
+
+ Enable MDT monitoring for Configuration Manager
+
+## Configure the Logs folder
+
+The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we will add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence.
+
+On **CM01**:
+
+1. To configure NTFS permissions using icacls.exe, type the following at an elevated Windows PowerShell prompt:
+
+ ```
+ icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
+ ```
+
+2. Using File Explorer, navigate to the **D:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder.
+3. To enable server-side logging, edit the CustomSetting.ini file with Notepad.exe and enter the following settings:
+
+ ```
+ [Settings]
+ Priority=Default
+ Properties=OSDMigrateConfigFiles,OSDMigrateMode
+
+ [Default]
+ DoCapture=NO
+ ComputerBackupLocation=NONE
+ MachineObjectOU=ou=Workstations,ou=Computers,ou=Contoso,dc=contoso,dc=com
+ OSDMigrateMode=Advanced
+ OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\*
+ OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
+ SLSHARE=\\CM01\Logs$
+ EventService=http://CM01:9800
+ ApplyGPOPack=NO
+ ```
+
+ 
+
+ The Settings package, holding the rules and the Unattend.xml template used during deployment
+
+3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Click **OK** in the popup dialog box.
+
+ >[!NOTE]
+ >Although you have not yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes.
+
+## Distribute content to the CM01 distribution portal
+
+In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**.
+2. In the Distribute Content Wizard, click **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard.
+3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully.
+
+ 
+
+ Content status
+
+## Create a deployment for the task sequence
+
+This sections provides steps to help you create a deployment for the task sequence.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then click **Deploy**.
+2. In the Deploy Software Wizard, on the **General** page, select the **All Unknown Computers** collection and click **Next**.
+3. On the **Deployment Settings** page, use the following settings and then click **Next**:
+
+ * Purpose: Available
+ * Make available to the following: Only media and PXE
+
+ 
+
+ Configure the deployment settings
+
+4. On the **Scheduling** page, accept the default settings and click **Next**.
+5. On the **User Experience** page, accept the default settings and click **Next**.
+6. On the **Alerts** page, accept the default settings and click **Next**.
+7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
+
+ 
+
+ The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE
+
+## Configure Configuration Manager to prompt for the computer name during deployment (optional)
+
+You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
+
+This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and click **Properties**.
+
+2. On the **Collection Variables** tab, create a new variable with the following settings:
+
+ * Name: OSDComputerName
+ * Clear the **Do not display this value in the Configuration Manager console** check box.
+
+3. Click **OK**.
+
+ >[!NOTE]
+ >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
+
+ 
+
+ Configure a collection variable
+
+Next, see [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
new file mode 100644
index 0000000000..ca87d2d6b3
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -0,0 +1,391 @@
+---
+title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10)
+description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit.
+ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: install, configure, deploy, deployment
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Configuration Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT).
+
+## Prerequisites
+
+In this topic, you will use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
+
+- Configuration Manager current branch + all security and critical updates are installed.
+ - Note: Procedures in this guide use ConfigMgr 1910. For information about the version of Windows 10 supported by ConfigMgr, see [Support for Windows 10](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
+- The [Active Directory Schema has been extended](https://docs.microsoft.com/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created.
+- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/configure-discovery-methods).
+- IP range [boundaries and a boundary group](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created.
+- The Configuration Manager [reporting services](https://docs.microsoft.com/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
+- A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure).
+- The [Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
+- The [CMTrace tool](https://docs.microsoft.com/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
+ - Note: CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this is no longer needed. Configuraton Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool.
+
+For the purposes of this guide, we will use three server computers: DC01, CM01 and HV01.
+- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer does not need to be a domain member.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+### Domain credentials
+
+The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
+
+**Active Directory domain name**: contoso.com
+**Domain administrator username**: administrator
+**Domain administrator password**: pass@word1
+
+## Create the OU structure
+
+>[!NOTE]
+>If you have already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section.
+
+On **DC01**:
+
+To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. The procedure below uses Windows PowerShell.
+
+To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension.
+
+```powershell
+$oulist = Import-csv -Path c:\oulist.txt
+ForEach($entry in $oulist){
+ $ouname = $entry.ouname
+ $oupath = $entry.oupath
+ New-ADOrganizationalUnit -Name $ouname -Path $oupath -WhatIf
+ Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"
+}
+```
+
+Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt
+
+```text
+OUName,OUPath
+Contoso,"DC=CONTOSO,DC=COM"
+Accounts,"OU=Contoso,DC=CONTOSO,DC=COM"
+Computers,"OU=Contoso,DC=CONTOSO,DC=COM"
+Groups,"OU=Contoso,DC=CONTOSO,DC=COM"
+Admins,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Service Accounts,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Users,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Servers,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM"
+```
+
+Lastly, open an elevated Windows PowerShell prompt on DC01 and run the ou.ps1 script:
+
+```powershell
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
+Set-Location C:\Setup\Scripts
+.\ou.ps1
+```
+
+## Create the Configuration Manager service accounts
+
+A role-based model is used to configure permissions for the service accounts needed for operating system deployment in Configuration Manager. Perform the following steps to create the Configuration Manager **join domain** and **network access** accounts:
+
+On **DC01**:
+
+1. In the Active Directory Users and Computers console, browse to **contoso.com / Contoso / Service Accounts**.
+2. Select the Service Accounts OU and create the CM\_JD account using the following settings:
+
+ * Name: CM\_JD
+ * User logon name: CM\_JD
+ * Password: pass@word1
+ * User must change password at next logon: Clear
+ * User cannot change password: Selected
+ * Password never expires: Selected
+
+3. Repeat the step, but for the CM\_NAA account.
+4. After creating the accounts, assign the following descriptions:
+
+ * CM\_JD: Configuration Manager Join Domain Account
+ * CM\_NAA: Configuration Manager Network Access Account
+
+## Configure Active Directory permissions
+
+In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
+
+On **DC01**:
+
+1. Sign in as contoso\administrtor and enter the following at an elevated Windows PowerShell prompt:
+
+ ```
+ Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
+ Set-Location C:\Setup\Scripts
+ .\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
+ ```
+
+2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted:
+
+ * Scope: This object and all descendant objects
+ * Create Computer objects
+ * Delete Computer objects
+ * Scope: Descendant Computer objects
+ * Read All Properties
+ * Write All Properties
+ * Read Permissions
+ * Modify Permissions
+ * Change Password
+ * Reset Password
+ * Validated write to DNS host name
+ * Validated write to service principal name
+
+## Review the Sources folder structure
+
+On **CM01**:
+
+To support the packages you create in this article, the following folder structure should be created on the Configuration Manager primary site server (CM01):
+
+>[!NOTE]
+>In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
+
+- D:\\Sources
+- D:\\Sources\\OSD
+- D:\\Sources\\OSD\\Boot
+- D:\\Sources\\OSD\\DriverPackages
+- D:\\Sources\\OSD\\DriverSources
+- D:\\Sources\\OSD\\MDT
+- D:\\Sources\\OSD\\OS
+- D:\\Sources\\OSD\\Settings
+- D:\\Sources\\OSD\\Branding
+- D:\\Sources\\Software
+- D:\\Sources\\Software\\Adobe
+- D:\\Sources\\Software\\Microsoft
+
+You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure:
+
+>We will also create the D:\Logs folder here which will be used later to support server-side logging.
+
+```powershell
+New-Item -ItemType Directory -Path "D:\Sources"
+New-Item -ItemType Directory -Path "D:\Sources\OSD"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\Boot"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\DriverPackages"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\DriverSources"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\OS"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\Settings"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\Branding"
+New-Item -ItemType Directory -Path "D:\Sources\OSD\MDT"
+New-Item -ItemType Directory -Path "D:\Sources\Software"
+New-Item -ItemType Directory -Path "D:\Sources\Software\Adobe"
+New-Item -ItemType Directory -Path "D:\Sources\Software\Microsoft"
+New-SmbShare -Name Sources$ -Path D:\Sources -FullAccess "NT AUTHORITY\INTERACTIVE", "BUILTIN\Administrators"
+New-Item -ItemType Directory -Path "D:\Logs"
+New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE
+```
+
+## Integrate Configuration Manager with MDT
+
+To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you have already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings.
+
+On **CM01**:
+
+1. Sign in as contoso\administrator.
+2. Ensure the Configuration Manager Console is closed before continuing.
+5. Click Start, type **Configure ConfigManager Integration**, and run the application the following settings:
+
+ * Site Server Name: CM01.contoso.com
+ * Site code: PS1
+
+
+
+MDT integration with Configuration Manager.
+
+## Configure the client settings
+
+Most organizations want to display their name during deployment. In this section, you configure the default Configuration Manager client settings with the Contoso organization name.
+
+On **CM01**:
+
+1. Open the Configuration Manager Console, select the Administration workspace, then click **Client Settings**.
+2. In the right pane, right-click **Default Client Settings** and then click **Properties**.
+3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
+
+
+
+Configure the organization name in client settings.
+
+
+
+The Contoso organization name displayed during deployment.
+
+## Configure the Network Access account
+
+Configuration Manager uses the Network Access account during the Windows 10 deployment process to access content on the distribution points. In this section, you configure the Network Access account.
+
+On **CM01**:
+
+1. Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**.
+2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**.
+3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
+
+
+
+Test the connection for the Network Access account.
+
+## Enable PXE on the CM01 distribution point
+
+Configuration Manager has many options for starting a deployment, but starting via PXE is certainly the most flexible in a large environment. In this section, you enable PXE on the CM01 distribution point.
+
+On **CM01**:
+
+1. In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**.
+2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**.
+3. On the **PXE** tab, use the following settings:
+
+ * Enable PXE support for clients
+ * Allow this distribution point to respond to incoming PXE requests
+ * Enable unknown computer
+ * Require a password when computers use PXE
+ * Password and Confirm password: pass@word1
+
+ 
+
+ Configure the CM01 distribution point for PXE.
+
+ >[!NOTE]
+ >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
+
+4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
+
+ 
+
+ The distmgr.log displays a successful configuration of PXE on the distribution point.
+
+5. Verify that you have seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**.
+
+ 
+
+ The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
+
+ **Note**: These files are used by WDS. They are not used by the ConfigMgr PXE Responder. This article does not use the ConfigMgr PXE Responder.
+
+Next, see [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md).
+
+## Components of Configuration Manager operating system deployment
+
+Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+
+- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
+- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
+- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
+- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
+- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
+- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
+- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
+- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
+
+ **Note** The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10.
+
+## Why integrate MDT with Configuration Manager
+
+As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
+
+>[!NOTE]
+>MDT installation requires the following:
+>- The Windows ADK for Windows 10 (installed in the previous procedure)
+>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
+>- Microsoft .NET Framework
+
+### MDT enables dynamic deployment
+
+When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
+
+The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
+- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
+
+ ``` syntax
+ [Settings]
+ Priority=Model
+ [HP EliteBook 8570w]
+ Packages001=PS100010:Install HP Hotkeys
+ ```
+- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
+
+ ``` syntax
+ [Settings]
+ Priority= ByLaptopType, ByDesktopType
+ [ByLaptopType]
+ Subsection=Laptop-%IsLaptop%
+ [ByDesktopType]
+ Subsection=Desktop-%IsDesktop%
+ [Laptop-True]
+ Packages001=PS100012:Install Cisco VPN Client
+ OSDComputerName=LT-%SerialNumber%
+ MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com
+ [Desktop-True]
+ OSDComputerName=DT-%SerialNumber%
+ MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
+ ```
+
+
+
+The Gather action in the task sequence is reading the rules.
+
+### MDT adds an operating system deployment simulation environment
+
+When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
+
+
+
+The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
+
+### MDT adds real-time monitoring
+
+With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
+
+
+
+View the real-time monitoring data with PowerShell.
+
+### MDT adds an optional deployment wizard
+
+For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
+
+
+
+The optional UDI wizard open in the UDI Wizard Designer.
+
+MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
+
+### Why use MDT Lite Touch to create reference images
+
+You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
+- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
+- Configuration Manager performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
+- The Configuration Manager task sequence does not suppress user interface interaction.
+- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
+- MDT Lite Touch does not require any infrastructure and is easy to delegate.
+
+## Related topics
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..24ea36579b
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,148 @@
+---
+title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10.
+ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, install, installation, computer refresh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh is not the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refesh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
+
+A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps:
+
+1. Data and settings are backed up locally in a backup folder.
+2. The partition is wiped, except for the backup folder.
+3. The new operating system image is applied.
+4. Other applications are installed.
+5. Data and settings are restored.
+
+## Infrastructure
+
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+For the purposes of this article, we will use one server computer (CM01) and one client computer (PC0003).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10.
+
+>[!NOTE]
+>If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+>[!IMPORTANT]
+>This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
+
+## Verify the Configuration Manager client settings
+
+To verify that PC003 is correctly assigned to the PS1 site:
+
+On **PC0003**:
+
+1. Open the Configuration Manager control panel (control smscfgrc).
+2. On the **Site** tab, click **Configure Settings**, then click **Find Site**.
+3. Verify that Configuration Manager has successfullyl found a site to manage this client is displayed. See the following example.
+
+
+
+## Create a device collection and add the PC0003 computer
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Asset and Compliance workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+
+ * General
+ * Name: Install Windows 10 Enterprise x64
+ * Limited Collection: All Systems
+ * Membership rules
+ * Add Rule: Direct rule
+ * Resource Class: System Resource
+ * Attribute Name: Name
+ * Value: PC0003
+ * Select Resources
+ * Select **PC0003**
+
+ Use the default settings to complete the remaining wizard pages and click **Close**.
+
+2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
+
+ >[!NOTE]
+ >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
+
+## Create a new deployment
+
+On **CM01**:
+
+Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then click **Deploy**. Use the following settings:
+
+- General
+ - Collection: Install Windows 10 Enterprise x64
+- Deployment Settings
+ - Purpose: Available
+ - Make available to the following: Configuration Manager clients, media and PXE
+
+ >[!NOTE]
+ >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
+
+- Scheduling
+ - <default>
+- User Experience
+ - <default>
+- Alerts
+ - <default>
+- Distribution Points
+ - <default>
+
+## Initiate a computer refresh
+
+Now you can start the computer refresh on PC0003.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Assets and Compliance workspace, click the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, click **Download Computer Policy**, and then click **OK** in the popup dialog box that appears.
+
+On **PC0003**:
+
+1. Open the Software Center (click Start and type **Software Center**, or click the **New software is available** balloon in the system tray), select **Operating Systems** and click the **Windows 10 Enterprise x64 RTM** deployment, then click **Install**.
+2. In the **Software Center** warning dialog box, click **Install Operating System**.
+3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples:
+
+
+
+
+
+
+
+
+
+
+
+
+Next, see [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..b2ef8ff138
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,214 @@
+---
+title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
+ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, install, installation, replace computer, setup
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the device, you have to run the backup job separately from the deployment of Windows 10.
+
+In this topic, you will create a backup-only task sequence that you run on PC0004 (the device you are replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
+
+## Infrastructure
+
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+For the purposes of this article, we will use one server computer (CM01) and two client computers (PC0004, PC0006).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+ - Important: CM01 must include the **[State migration point](https://docs.microsoft.com/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work.
+- PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced.
+- PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004.
+
+>[!NOTE]
+>PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+>[!IMPORTANT]
+>This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
+
+## Create a replace task sequence
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
+2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
+3. On the **General** page, assign the following settings and click **Next**:
+
+ * Task sequence name: Replace Task Sequence
+ * Task sequence comments: USMT backup only
+
+4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
+5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
+6. On the **USMT Package** page, browse and select the **OSD / Microsoft Corporation User State Migration Tool for Windows** package. Then click **Next**.
+7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
+8. On the **Summary** page, review the details and then click **Next**.
+9. On the **Confirmation** page, click **Finish**.
+
+10. Review the Replace Task Sequence.
+
+ >[!NOTE]
+ >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence.
+
+
+
+The backup-only task sequence (named Replace Task Sequence).
+
+## Associate the new device with the old computer
+
+This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
+
+On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS:
+
+1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Do not attempt to PXE boot PC0006 yet.
+
+On **CM01**:
+
+2. Using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**.
+3. On the **Select Source** page, select **Import single computer** and click **Next**.
+4. On the **Single Computer** page, use the following settings and then click **Next**:
+
+ * Computer Name: PC0006
+ * MAC Address: <the mac address that you wrote down>
+ * Source Computer: PC0004
+
+ 
+
+ Creating the computer association between PC0004 and PC0006.
+
+5. On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
+6. On the **Data Preview** page, click **Next**.
+7. On the **Choose additional collections** page, click **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then click **Next**.
+8. On the **Summary** page, click **Next**, and then click **Close**.
+9. Select the **User State Migration** node and review the computer association in the right hand pane.
+10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
+11. Review the **Install Windows 10 Enterprise x64** collection. Do not continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again.
+
+## Create a device collection and add the PC0004 computer
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+
+ * General
+ * Name: USMT Backup (Replace)
+ * Limited Collection: All Systems
+ * Membership rules:
+ * Add Rule: Direct rule
+ * Resource Class: System Resource
+ * Attribute Name: Name
+ * Value: PC0004
+ * Select Resources:
+ * Select **PC0004**
+
+ Use default settings for the remaining wizard pages, then click **Close**.
+
+2. Review the **USMT Backup (Replace)** collection. Do not continue until you see the **PC0004** computer in the collection.
+
+## Create a new deployment
+
+On **CM01**:
+
+Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
+
+- General
+ - Collection: USMT Backup (Replace)
+- Deployment Settings
+ - Purpose: Available
+ - Make available to the following: Only Configuration Manager Clients
+- Scheduling
+ - <default>
+- User Experience
+ - <default>
+- Alerts
+ - <default>
+- Distribution Points
+ - <default>
+
+## Verify the backup
+
+This section assumes that you have a computer named PC0004 with the Configuration Manager client installed.
+
+On **PC0004**:
+
+1. If it is not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc).
+2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears.
+
+ >[!NOTE]
+ >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+3. Open the Software Center, select the **Replace Task Sequence** deployment and then click **Install**.
+4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
+5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes.
+
+
+
+Capturing the user state
+
+On **CM01**:
+
+6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a sub-folder was created containing the USMT backup.
+7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
+
+ >[!NOTE]
+ >It may take a few minutes for the user state store location to be populated.
+
+## Deploy the new computer
+
+On **PC0006**:
+
+1. Start the PC0006 virtual machine (or physical computer), press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
+
+ * Password: pass@word1
+ * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
+
+2. The setup now starts and does the following:
+
+ * Installs the Windows 10 operating system
+ * Installs the Configuration Manager client
+ * Joins it to the domain
+ * Installs the applications
+ * Restores the PC0004 backup
+
+When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples:
+
+
+
+
+
+
+
+
+
+
+
+Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md).
+
+## Related topics
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
new file mode 100644
index 0000000000..553be3b239
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
@@ -0,0 +1,142 @@
+---
+title: Perform in-place upgrade to Windows 10 via Configuration Manager
+description: In-place upgrades make upgrading Windows 7, Windows 8, and Windows 8.1 to Windows 10 easy -- you can even automate the whole process with a Microsoft Endpoint Configuration Manager task sequence.
+ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Perform an in-place upgrade to Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+- Windows 10
+
+The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Configuration Manager task sequence to completely automate the process.
+
+>[!IMPORTANT]
+>Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10.
+
+## Infrastructure
+
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+
+For the purposes of this article, we will use one server computer (CM01) and one client computers (PC0004).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10.
+
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+## Add an OS upgrade package
+
+Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it does not use a default OS image, but rather uses an [OS upgrade package](https://docs.microsoft.com/configmgr/osd/get-started/manage-operating-system-upgrade-packages).
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and click **Add Operating System Upgrade Package**.
+2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we have extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**.
+3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we have chosen **Windows 10 Enterprise**.
+4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then click **Next**.
+5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**.
+6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**.
+7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
+8. View the content status for the Windows 10 x64 RTM upgrade package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+
+## Create an in-place upgrade task sequence
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**.
+2. On the **Create a new task sequence** page, select **Upgrade an operating system from an upgrade package** and click **Next**.
+3. Use the following settings to complete the wizard:
+
+ * Task sequence name: Upgrade Task Sequence
+ * Description: In-place upgrade
+ * Upgrade package: Windows 10 x64 RTM
+ * Include software updates: Do not install any software updates
+ * Install applications: OSD \ Adobe Acrobat Reader DC
+
+4. Complete the wizard, and click **Close**.
+5. Review the Upgrade Task Sequence.
+
+
+
+The Configuration Manager upgrade task sequence
+
+## Create a device collection
+
+After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0004 computer running Windows 7 SP1, with the Configuration Manager client installed.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+ - General
+ - Name: Windows 10 x64 in-place upgrade
+ - Limited Collection: All Systems
+ - Membership rules:
+ - Direct rule
+ - Resource Class: System Resource
+ - Attribute Name: Name
+ - Value: PC0004
+ - Select Resources
+ - Select PC0004
+
+2. Review the Windows 10 x64 in-place upgrade collection. Do not continue until you see PC0004 in the collection.
+
+## Deploy the Windows 10 upgrade
+
+In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
+
+On **CM01**:
+
+1. Using the Configuration Manager console, in the Software Library workspace, right-click the **Upgrade Task Sequence** task sequence, and then click **Deploy**.
+2. On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then click **Next**.
+3. On the **Content** page, click **Next**.
+4. On the **Deployment Settings** page, click **Next**:
+5. On the **Scheduling** page, accept the default settings, and then click **Next**.
+6. On the **User Experience** page, accept the default settings, and then click **Next**.
+7. On the **Alerts** page, accept the default settings, and then click **Next**.
+7. On the **Distribution Points** page, accept the default settings, and then click **Next**.
+8. On the **Summary** page, click **Next**, and then click **Close**.
+
+## Start the Windows 10 upgrade
+
+Next, run the in-place upgrade task sequence on PC0004.
+
+On **PC0004**:
+
+1. Open the Configuration Manager control panel (control smscfgrc).
+2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears.
+
+ >[!NOTE]
+ >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+3. Open the Software Center, select the **Upgrade Task Sequence** deployment and then click **Install**.
+4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
+5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples:
+
+
+
+
+
+
+
+
+
+In-place upgrade with Configuration Manager
+
+## Related topics
+
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
deleted file mode 100644
index 45f4bb2bb8..0000000000
--- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ /dev/null
@@ -1,191 +0,0 @@
----
-title: Create a task sequence with Configuration Manager (Windows 10)
-description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
-ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade, task sequence, install
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.pagetype: mdt
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Create a task sequence with Configuration Manager and MDT
-
-
-**Applies to**
-
-- Windows 10
-
-In this topic, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Create a task sequence using the MDT Integration Wizard
-
-
-This section walks you through the process of creating a Configuration Manager task sequence for production use.
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
-
-2. On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**.
-
-3. On the **General** page, assign the following settings and then click **Next**:
-
- * Task sequence name: Windows 10 Enterprise x64 RTM
-
- * Task sequence comments: Production image with Office 2013
-
-4. On the **Details** page, assign the following settings and then click **Next**:
-
- * Join a Domain
-
- * Domain: contoso.com
-
- * Account: CONTOSO\\CM\_JD
-
- * Password: Passw0rd!
-
- * Windows Settings
-
- * User name: Contoso
-
- * Organization name: Contoso
-
- * Product key: <blank>
-
-5. On the **Capture Settings** page, accept the default settings, and click **Next**.
-
-6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-
-7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**.
-
-8. On the **MDT Details** page, assign the name **MDT** and click **Next**.
-
-9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
-
-10. On the **Deployment Method** page, accept the default settings and click **Next**.
-
-11. On the **Client Package** page, browse and select the **OSD / Configuration Manager Client** package. Then click **Next**.
-
-12. On the **USMT Package** page, browse and select **the OSD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
-
-13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings**. Then click **Next**.
-
-14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**.
-
-15. On the **Sysprep Package** page, click **Next** twice.
-
-16. On the **Confirmation** page, click **Finish**.
-
-## Edit the task sequence
-
-
-After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more.
-
-1. On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**.
-
-2. In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following:
-
- * OSDPreserveDriveLetter: True
-
- >[!NOTE]
- >If you don't change this value, your Windows installation will end up in E:\\Windows.
-
-3. In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values).
-
-4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
-
-5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
-
-6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
-
- * Name: HP EliteBook 8560w
-
- * Driver Package: Windows 10 x64 - HP EliteBook 8560w
-
- * Options: Task Sequence Variable: Model equals HP EliteBook 8560w
-
- >[!NOTE]
- >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
-
- 
-
- *Figure 24. The driver package options*
-
-7. In the **State Restore / Install Applications** group, select the **Install Application** action.
-
-8. Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list.
-
- 
-
- *Figure 25. Add an application to the Configuration Manager task sequence*
-
-9. In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings:
-
- * Restore state from another computer
-
- * If computer account fails to connect to state store, use the Network Access account
-
- * Options: Continue on error
-
- * Options / Condition:
-
- * Task Sequence Variable
-
- * USMTLOCAL not equals True
-
-10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings:
-
- * Options: Continue on error
-
- * Options / Condition:
-
- * Task Sequence Variable
-
- * USMTLOCAL not equals True
-
-11. Click **OK**.
-
->[!NOTE]
->The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
-
-
-
-## Move the packages
-
-
-While creating the task sequence with the MDT wizard, a few operating system deployment packages were created. To move these packages to the OSD folder, take the following steps.
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
-
-2. Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**.
-
-3. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index aada4ef42f..c55b476746 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -160,10 +160,10 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
### Create configuration file: Microsoft Office 365 Professional Plus x64
1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted.
-2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Office 365 ProPlus that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename.
+2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename.
For example, you can use the following configuration.xml file, which provides these configuration settings:
- - Install the 64-bit version of Office 365 ProPlus in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition.
+ - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition.
- Use the Semi-Annual Channel and get updates directly from the Office CDN on the internet.
- Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages.
@@ -179,7 +179,7 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
```
- By using these settings, any time you build the reference image you’ll be installing the most up-to-date Semi-Annual Channel version of Office 365 ProPlus.
+ By using these settings, any time you build the reference image you’ll be installing the most up-to-date Semi-Annual Channel version of Microsoft 365 Apps for enterprise.
>[!TIP]
>You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file.
@@ -190,16 +190,16 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
- Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Office 365 ProPlus using the configuration settings in the configuration.xml file. Do not perform this step yet.
+ Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Do not perform this step yet.
>[!IMPORTANT]
- >After Office 365 ProPlus is installed on the reference image, do NOT open any Office programs. if you open an Office program, you are prompted to sign-in, which activates the installation of Office 365 ProPlus. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Office 365 ProPlus installed as part of your reference image.
+ >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you are prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image.
Additional information
-- Office 365 ProPlus is usually updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Office 365 ProPlus will most likely need to download and install the latest updates that have been released since you created your reference image.
+- Microsoft 365 Apps for enterprise is usually updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image.
-- **Note**: By using installing Office Deployment Tool as part of the reference image, Office 365 ProPlus is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Office 365 ProPlus right away and won’t have to download any new updates (which is most likely what would happen if Office 365 ProPlus was installed as part of the reference image.)
- - When you are creating your reference image, instead of installing Office 365 ProPlus directly from the Office CDN on the internet, you can install Office 365 ProPlus from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Office 365 ProPlus from that location on to your reference image. As part of that, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Office 365 ProPlus files. If you decide to do this, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Office 365 ProPlus to that location on your internal network. That way your new reference image will have a more up-to-date installation of Office 365 ProPlus.
+- **Note**: By using installing Office Deployment Tool as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.)
+ - When you are creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise.
### Connect to the deployment share using Windows PowerShell
@@ -353,7 +353,7 @@ On **MDT01**:
6. **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings:
1. Name: Microsoft Visual C++ Redistributable 2019 - x86
2. Install a Single Application: browse to **Install - MSVC 2019 - x86**
- 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Office 365 ProPlus as well.
+ 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well.
3. Click **OK**.
diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
deleted file mode 100644
index 54b6e72815..0000000000
--- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: Integrate Configuration Manager with MDT (Windows 10)
-description: Understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy Windows.
-ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.pagetype: mdt
-keywords: deploy, image, customize, task sequence
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Integrate Configuration Manager with MDT
-
-**Applies to**
-- Windows 10
-
-This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
-MDT is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-
-## Why integrate MDT with Configuration Manager
-
-As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
-
-> [!Note]
-> Microsoft Deployment Toolkit requires you to install [Windows PowerShell 2.0 Engine](https://docs.microsoft.com/powershell/scripting/install/installing-the-windows-powershell-2.0-engine) on your server.
-
-### MDT enables dynamic deployment
-
-When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
-
-The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
-- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
-
- ``` syntax
- [Settings]
- Priority=Model
- [HP EliteBook 8570w]
- Packages001=PS100010:Install HP Hotkeys
- ```
-- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
-
- ``` syntax
- [Settings]
- Priority= ByLaptopType, ByDesktopType
- [ByLaptopType]
- Subsection=Laptop-%IsLaptop%
- [ByDesktopType]
- Subsection=Desktop-%IsDesktop%
- [Laptop-True]
- Packages001=PS100012:Install Cisco VPN Client
- OSDComputerName=LT-%SerialNumber%
- MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com
- [Desktop-True]
- OSDComputerName=DT-%SerialNumber%
- MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
- ```
-
-
-
-Figure 2. The Gather action in the task sequence is reading the rules.
-
-### MDT adds an operating system deployment simulation environment
-
-When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](configure-mdt-settings.md).
-
-
-
-Figure 3. The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
-
-### MDT adds real-time monitoring
-
-With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
-
-
-
-Figure 4. View the real-time monitoring data with PowerShell.
-
-### MDT adds an optional deployment wizard
-
-For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
-
-
-
-Figure 5. The optional UDI wizard open in the UDI Wizard Designer.
-
-MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
-
-## Why use MDT Lite Touch to create reference images
-
-You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
-- In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager.
-- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
-- Microsoft System Center 2012 R2 performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
-- The Configuration Manager task sequence does not suppress user interface interaction.
-- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
-- MDT Lite Touch does not require any infrastructure and is easy to delegate.
-
-## Related topics
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](../deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](../deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](../deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](../deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](../deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index 41701e19c0..52246fddfd 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -121,7 +121,7 @@ To install WSUS on MDT01, enter the following at an elevated Windows PowerShell
cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
```
->To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus#configure-automatic-updates-and-update-service-location) on DC01.
+>To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus#configure-automatic-updates-and-update-service-location) on DC01 and perform the neccessary post-installation configuration of WSUS on MDT01.
## Install MDT
@@ -151,7 +151,7 @@ $oulist = Import-csv -Path c:\oulist.txt
ForEach($entry in $oulist){
$ouname = $entry.ouname
$oupath = $entry.oupath
- New-ADOrganizationalUnit -Name $ouname -Path $oupath -WhatIf
+ New-ADOrganizationalUnit -Name $ouname -Path $oupath
Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"
}
```
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index d54f06dc77..c6400f67e9 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -31,15 +31,15 @@ To configure your environment for BitLocker, you will need to do the following:
4. Configure the rules (CustomSettings.ini) for BitLocker.
> [!NOTE]
-> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
+> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
> [!NOTE]
-> Backing up TMP to Active Directory was supported only on Windows 10 version 1507 and 1511.
+> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
>[!NOTE]
->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
-
+>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+
For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## Configure Active Directory for BitLocker
@@ -95,7 +95,7 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor
### Set permissions in Active Directory for BitLocker
-In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
+In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://gallery.technet.microsoft.com/ScriptCenter/b4dee016-053e-4aa3-a278-3cebf70d1191) from Microsoft to C:\\Setup\\Scripts on DC01.
1. On DC01, start an elevated PowerShell prompt (run as Administrator).
2. Configure the permissions by running the following command:
diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
deleted file mode 100644
index 04dc40cc6e..0000000000
--- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10)
-description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers.
-ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, task sequence
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
-
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Add drivers for Windows PE
-
-
-This section will show you how to import some network and storage drivers for Windows PE. This section assumes you have downloaded some drivers to the E:\\Sources\\OSD\\DriverSources\\WinPE x64 folder on CM01.
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, right-click the **Drivers** node and select **Import Driver**.
-
-2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**.
-
-3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**.
-
-4. On the **Select the packages to add the imported driver** page, click **Next**.
-
-5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice.
-
-
-
-*Figure 21. Add drivers to Windows PE*
-
->[!NOTE]
->The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
-
-
-## Add drivers for Windows 10
-
-
-This section illustrates how to add drivers for Windows 10 through an example in which you want to import Windows 10 drivers for the HP EliteBook 8560w model. For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the E:\\Sources\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w folder on CM01.
-
-1. On CM01, using the Configuration Manager Console, right-click the **Drivers** folder and select **Import Driver**.
-
-2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w** folder and click **Next**.
-
-3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**.
-
- 
-
- *Figure 22. Create driver categories*
-
-4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
-
- * Name: Windows 10 x64 - HP EliteBook 8560w
-
- * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
-
- >[!NOTE]
- >The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
-
-
-5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
-
- >[!NOTE]
- >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
-
- 
-
- *Figure 23. Drivers imported and a new driver package created*
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
deleted file mode 100644
index 77ad24c498..0000000000
--- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
-description: In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
-ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: tool, customize, deploy, boot image
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Create a custom Windows PE boot image with Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In Microsoft Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Add DaRT 10 files and prepare to brand the boot image
-
-
-The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded Microsoft Desktop Optimization Pack (MDOP) 2015 and copied the x64 version of MSDaRT10.msi to the C:\\Setup\\DaRT 10 folder. We also assume you have created a custom background image and saved it in C:\\Setup\\Branding on CM01. In this section, we use a custom background image named ContosoBackground.bmp.
-
-1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT10.msi) using the default settings.
-
-2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
-
-3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder.
-
-4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder.
-
-5. Using File Explorer, navigate to the **C:\\Setup** folder.
-
-6. Copy the **Branding** folder to **E:\\Sources\\OSD**.
-
-## Create a boot image for Configuration Manager using the MDT wizard
-
-
-By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard.
-
-1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
-
-2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
-
- >[!NOTE]
- >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
-
-3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
-
-4. On the **Options** page, select the **x64** platform, and click **Next**.
-
-5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
-
- 
-
- Figure 15. Add the DaRT component to the Configuration Manager boot image.
-
-6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice.
-
- >[!NOTE]
- >It will take a few minutes to generate the boot image.
-
-7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
-
-8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
-
-9. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image.
-
- 
-
- Figure 16. Content status for the Zero Touch WinPE x64 boot image
-
-10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
-
-11. In the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**.
-
-12. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: Expanding PS10000B to E:\\RemoteInstall\\SMSImages.
-
-13. Review the **E:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS10000B) is from your new boot image with DaRT.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
deleted file mode 100644
index f19cafa1a4..0000000000
--- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Create an app to deploy with Windows 10 using Configuration Manager
-description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
-ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deployment, task sequence, custom, customize
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Create an application to deploy with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use.
-
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
->[!NOTE]
->Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
-
-## Example: Create the Adobe Reader XI application
-
-
-The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
-
-1. On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder.
-
-2. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**.
-
-3. Right-click **Applications** and select **Folder / Create Folder**. Assign the name **OSD**.
-
-4. Right-click the **OSD** folder, and select **Create Application**.
-
-5. In the Create Application Wizard, on the **General** page, use the following settings:
-
- * Automatically detect information about this application from installation files
-
- * Type: Windows Installer (\*.msi file)
-
- * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
-
- * \\AdbeRdr11000\_en\_US.msi
-
- 
-
- *Figure 19. The Create Application Wizard*
-
-6. Click **Next**, and wait while Configuration Manager parses the MSI file.
-
-7. On the **Import Information** page, review the information and then click **Next**.
-
-8. On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**.
-
- >[!NOTE]
- >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
-
- 
-
- *Figure 20. Add the "OSD Install" suffix to the application name*
-
-9. In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar.
-
-10. In the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
deleted file mode 100644
index 6b8c2133f1..0000000000
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
-description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences.
-ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deployment, image, UEFI, task sequence
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 using PXE and Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.
-
-For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-1. Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
-
- 
-
- Figure 31. PXE booting PC0001.
-
-2. On the **Welcome to the Task Sequence Wizard** page, type in the password **Passw0rd!** and click **Next**.
-
-3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
-
-4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
-
-
-
-Figure 32. Typing in the computer name.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
deleted file mode 100644
index 5a2a0146fc..0000000000
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Deploy Windows 10 with Microsoft Endpoint Configuration Manager (Windows 10)
-description: If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
-ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deployment, custom, boot
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 with Microsoft Endpoint Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
-
-For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-
-- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-
-- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
-
-- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-## Components of Configuration Manager operating system deployment
-
-
-Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
-
-- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
-
-- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
-
-- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
-
-- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
-
-- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
-
-- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
-
-- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
-
-- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
-
-- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
-
- **Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
-
-## See also
-
-- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
-- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
-- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md
deleted file mode 100644
index 0c75a0f3df..0000000000
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: Deploy Windows 10 with Configuration Manager (Windows 10)
-description: If you have Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
-ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deployment, custom, boot
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 with Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-If you have Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
-
-For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-
-- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
-- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-## Components of Configuration Manager operating system deployment
-
-
-Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
-
-- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
-- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
-- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
-- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
-- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
-- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
-- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
-- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
-- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
-
- **Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
-
-
-
-## See also
-
-- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
-- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
-- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
deleted file mode 100644
index 99f2e1edd9..0000000000
--- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ /dev/null
@@ -1,194 +0,0 @@
----
-title: Finalize operating system configuration for Windows 10 deployment
-description: Follow this walk-through to finalize the configuration of your Windows 10 operating deployment.
-ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: configure, deploy, upgrade
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Finalize the operating system configuration for Windows 10 deployment with Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft Endpoint Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Enable MDT monitoring
-
-
-This section will walk you through the process of creating the E:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager.
-
-1. On CM01, using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
-
- * Deployment share path: E:\\MDTProduction
-
- * Share name: MDTProduction$
-
- * Deployment share description: MDT Production
-
- * Options: <default settings>
-
-2. Right-click the **MDT Production** deployment share, and select **Properties**. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
-
- 
-
- *Figure 26. Enable MDT monitoring for Configuration Manager*
-
-## Create and share the Logs folder
-
-
-To support additional server-side logging in Configuration Manager, you create and share the E:\\Logs folder on CM01 using Windows PowerShell. Then in the next step, you enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence.
-
-1. On CM01, start an elevated Windows PowerShell prompt (run as Administrator).
-
-2. Type the following commands, pressing **Enter** after each one:
-
- ```
- New-Item -Path E:\Logs -ItemType directory
- New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
- icacls E:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
- ```
-
-## Configure the rules (Windows 10 x64 Settings package)
-
-
-This section will show you how to configure the rules (the Windows 10 x64 Settings package) to support the Contoso environment.
-
-1. On CM01, using File Explorer, navigate to the **E:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder.
-
-2. Using Notepad, edit the CustomSetting.ini file with the following settings:
-
- ```
- [Settings]
- Priority=Default
- Properties=OSDMigrateConfigFiles,OSDMigrateMode
- [Default]
- DoCapture=NO
- ComputerBackupLocation=NONE
- MachineObjectOU=ou=Workstations,ou=Computers,ou=Contoso,dc=contoso,dc=com
- OSDMigrateMode=Advanced
- OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\*
- OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
- SLSHARE=\\CM01\Logs$
- EventService=http://CM01:9800
- ApplyGPOPack=NO
- ```
-
- 
-
- *Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment*
-
-3. Update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**.
-
- >[!NOTE]
- >Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes.
-
-
-
-## Distribute content to the CM01 distribution portal
-
-
-In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point.
-
-1. **On CM01, using the Configuration Manager Console**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content.**
-
-2. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
-
-3. Using Configuration Manager Trace, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully.
-
-## Create a deployment for the task sequence
-
-
-This sections provides steps to help you create a deployment for the task sequence.
-
-1. On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**.
-
-2. On the **General** page, select the **All Unknown Computers** collection and click **Next**.
-
-3. On the **Deployment Settings** page, use the following settings and then click **Next**:
-
- * Purpose: Available
-
- * Make available to the following: Only media and PXE
-
- 
-
- *Figure 28. Configure the deployment settings*
-
-4. On the **Scheduling** page, accept the default settings and click **Next**.
-
-5. On the **User Experience** page, accept the default settings and click **Next**.
-
-6. On the **Alerts** page, accept the default settings and click **Next**.
-
-7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
-
- 
-
- *Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE*
-
-## Configure Configuration Manager to prompt for the computer name during deployment (optional)
-
-
-You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
-
-This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names.
-
-1. Using the Configuration Manager Console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**.
-
-2. In the **Collection Variables** tab, create a new variable with the following settings:
-
- * Name: OSDComputerName
-
- * Clear the **Do not display this value in the Configuration Manager console** check box.
-
-3. Click **OK**.
-
- >[!NOTE]
- >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
-
- 
-
- *Figure 30. Configure a collection variable*
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
deleted file mode 100644
index c1461b27eb..0000000000
--- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Monitor the Windows 10 deployment with Configuration Manager
-description: Learn how to monitor a Windows 10 deployment with Configuration Manager. Use the Deployment Workbench to access the computer remotely.
-ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Monitor the Windows 10 deployment with Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft Endpoint Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
-
-For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-To monitor an operating system deployment conducted through Microsoft Endpoint Configuration Manager, you will use the Deployment Workbench in MDT as follows:
-
-1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh).
-
- >[!NOTE]
- >It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
-
- 
-
- *Figure 33. PC0001 being deployed by Configuration Manager*
-
-2. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option.
-
-3. The task sequence will now run and do the following:
-
- * Install the Windows 10 operating system.
-
- * Install the Configuration Manager client and the client hotfix.
-
- * Join the machine to the domain.
-
- * Install the application added to the task sequence.
-
- >[!NOTE]
- >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
-
-4. If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
deleted file mode 100644
index 4ccb6b76ea..0000000000
--- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ /dev/null
@@ -1,285 +0,0 @@
----
-title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10)
-description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit.
-ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: install, configure, deploy, deployment
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-This topic will walk you through the process of integrating Microsoft Endpoint Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
-
-## Prerequisites
-
-
-In this topic, you will use an existing Configuration Manager server structure to prepare for operating system deployment. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
-
-- Active Directory Schema has been extended and System Management container created.
-
-- Active Directory Forest Discovery and Active Directory System Discovery have been enabled.
-
-- IP range boundaries and a boundary group for content and site assignment have been created.
-
-- The Configuration Manager reporting services point role has been added and configured
-
-- A file system folder structure for packages has been created.
-
-- A Configuration Manager console folder structure for packages has been created.
-
-- Microsoft Endpoint Configuration Manager and any additional Windows 10 prerequisites are installed.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01 and CM01 are both members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Create the Configuration Manager service accounts
-
-
-To configure permissions for the various service accounts needed for operating system deployment in Configuration Manager, you use a role-based model. To create the Configuration Manager Join Domain account as well as the Configuration Manager Network Access account, follow these steps:
-
-1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
-
-2. Select the Service Accounts OU and create the CM\_JD account using the following settings:
-
- * Name: CM\_JD
-
- * User logon name: CM\_JD
-
- * Password: P@ssw0rd
-
- * User must change password at next logon: Clear
-
- * User cannot change password: Select
-
- * Password never expires: Select
-
-3. Repeat the step, but for the CM\_NAA account.
-
-4. After creating the accounts, assign the following descriptions:
-
- * CM\_JD: Configuration Manager Join Domain Account
-
- * CM\_NAA: Configuration Manager Network Access Account
-
-
-
-Figure 6. The Configuration Manager service accounts used for operating system deployment.
-
-## Configure Active Directory permissions
-
-
-In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
-
-1. On DC01, log on as Administrator in the CONTOSO domain using the password P@ssw0rd.
-
-2. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands, pressing **Enter** after each command:
-
- ```
- Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
-
- Set-Location C:\Setup\Scripts
-
- .\Set-OUPermissions.ps1 -Account CM_JD
- -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
- ```
-
-3. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted:
-
- * Scope: This object and all descendant objects
-
- * Create Computer objects
-
- * Delete Computer objects
-
- * Scope: Descendant Computer objects
-
- * Read All Properties
-
- * Write All Properties
-
- * Read Permissions
-
- * Modify Permissions
-
- * Change Password
-
- * Reset Password
-
- * Validated write to DNS host name
-
- * Validated write to service principal name
-
-## Review the Sources folder structure
-
-
-To support the packages you create in this section, the following folder structure should be created on the Configuration Manager primary site server (CM01):
-
->[!NOTE]
->In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
-
-- E:\\Sources
-
-- E:\\Sources\\OSD
-
-- E:\\Sources\\OSD\\Boot
-
-- E:\\Sources\\OSD\\DriverPackages
-
-- E:\\Sources\\OSD\\DriverSources
-
-- E:\\Sources\\OSD\\MDT
-
-- E:\\Sources\\OSD\\OS
-
-- E:\\Sources\\OSD\\Settings
-
-- E:\\Sources\\Software
-
-- E:\\Sources\\Software\\Adobe
-
-- E:\\Sources\\Software\\Microsoft
-
-
-
-Figure 7. The E:\\Sources\\OSD folder structure.
-
-## Integrate Configuration Manager with MDT
-
-
-To extend the Configuration Manager console with MDT wizards and templates, you install MDT in the default location and run the integration setup. In these steps, we assume you have downloaded MDT to the C:\\Setup\\MDT2013 folder on CM01.
-
-1. On CM01, log on as Administrator in the CONTOSO domain using the password P@ssw0rd.
-
-2. Make sure the Configuration Manager Console is closed before continuing.
-
-3. Using File Explorer, navigate to the **C:\\Setup\\MDT** folder.
-
-4. Run the MDT setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard.
-
-5. From the Start screen, run Configure ConfigManager Integration with the following settings:
-
- * Site Server Name: CM01.contoso.com
-
- * Site code: PS1
-
-
-
-Figure 8. Set up the MDT integration with Configuration Manager.
-
-## Configure the client settings
-
-
-Most organizations want to display their name during deployment. In this section, you configure the default Configuration Manager client settings with the Contoso organization name.
-
-1. On CM01, using the Configuration Manager Console, in the Administration workspace, select **Client Settings**.
-
-2. In the right pane, right-click **Default Client Settings**, and select **Properties**.
-
-3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
-
-
-
-Figure 9. Configure the organization name in client settings.
-
-
-
-Figure 10. The Contoso organization name displayed during deployment.
-
-## Configure the Network Access account
-
-
-Configuration Manager uses the Network Access account during the Windows 10 deployment process to access content on the distribution point(s). In this section, you configure the Network Access account.
-
-1. Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**.
-
-2. Right-click **PS1 - Primary Site 1**, select **Configure Site Components**, and then select **Software Distribution**.
-
-3. In the **Network Access Account** tab, configure the **CONTOSO\\CM\_NAA** user account (select New Account) as the Network Access account. Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
-
-
-
-Figure 11. Test the connection for the Network Access account.
-
-## Enable PXE on the CM01 distribution point
-
-
-Configuration Manager has many options for starting a deployment, but starting via PXE is certainly the most flexible in a large environment. In this section, you enable PXE on the CM01 distribution point.
-
-1. In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**.
-
-2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**.
-
-3. In the **PXE** tab, select the following settings:
-
- * Enable PXE support for clients
-
- * Allow this distribution point to respond to incoming PXE requests
-
- * Enable unknown computer support
-
- * Require a password when computers use PXE
-
- * Password and Confirm password: Passw0rd!
-
- 
-
- Figure 12. Configure the CM01 distribution point for PXE.
-
-4. Using the Configuration Manager Trace Log Tool, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
-
- 
-
- Figure 13. The distmgr.log displays a successful configuration of PXE on the distribution point.
-
-5. Verify that you have seven files in each of the folders **E:\\RemoteInstall\\SMSBoot\\x86** and **E:\\RemoteInstall\\SMSBoot\\x64**.
-
- 
-
- Figure 14. The contents of the E:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
deleted file mode 100644
index d9550467e3..0000000000
--- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
-description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10.
-ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, install, installation, computer refresh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft Endpoint Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
-
-A computer refresh with Microsoft Endpoint Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
-
-1. Data and settings are backed up locally in a backup folder.
-
-2. The partition is wiped, except for the backup folder.
-
-3. The new operating system image is applied.
-
-4. Other applications are installed.
-
-5. Data and settings are restored.
-
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed.
-
-## Create a device collection and add the PC0003 computer
-
-
-1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
-
- * General
-
- * Name: Install Windows 10 Enterprise x64
-
- * Limited Collection: All Systems
-
- * Membership rules:
-
- * Direct rule
-
- * Resource Class: System Resource
-
- * Attribute Name: Name
-
- * Value: PC0003
-
- * Select **Resources**
-
- * Select **PC0003**
-
-2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
-
- >[!NOTE]
- >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
-
-
-
-## Create a new deployment
-
-
-Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the following settings:
-
-- General
-
- - Collection: Install Windows 10 Enterprise x64
-
-- Deployment Settings
-
- - Purpose: Available
-
- - Make available to the following: Configuration Manager clients, media and PXE
-
- >[!NOTE]
- >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
-
-
-
-- Scheduling
-
- - <default>
-
-- User Experience
-
- - <default>
-
-- Alerts
-
- - <default>
-
-- Distribution Points
-
- - <default>
-
-## Initiate a computer refresh
-
-
-Now you can start the computer refresh on PC0003.
-
-1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
-
- >[!NOTE]
- >The Client Notification feature is new in Configuration Manager.
-
-2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.
-
-3. In the **Software Center** warning dialog box, click **INSTALL OPERATING SYSTEM**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
deleted file mode 100644
index b00e32b337..0000000000
--- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ /dev/null
@@ -1,241 +0,0 @@
----
-title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
-description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
-ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, install, installation, replace computer, setup
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.
-
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
-
-## Create a replace task sequence
-
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
-
-2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
-
-3. On the **General** page, assign the following settings and click **Next**:
-
- * Task sequence name: Replace Task Sequence
-
- * Task sequence comments: USMT backup only
-
-4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-
-5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
-
-6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
-
-7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
-
-8. On the **Summary** page, review the details and then click **Next**.
-
-9. On the **Confirmation** page, click **Finish**.
-
-10. Review the Replace Task Sequence.
- >[!NOTE]
- >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
-
-
-
-Figure 34. The backup-only task sequence (named Replace Task Sequence).
-
-## Associate the new machine with the old computer
-
-
-This section walks you through the process of associating a blank machine, PC0006, with an old machine, PC0004, for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
-
-1. Make a note of the PC0006 machine's MAC Address. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96.
-
-2. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**.
-
-3. On the **Select Source** page, select **Import single computer** and click **Next**.
-
-4. On the **Single Computer** page, use the following settings and then click **Next**:
-
- * Computer Name: PC0006
-
- * MAC Address: <the mac address from step 1>
-
- * Source Computer: PC0004
-
- 
-
- Figure 35. Creating the computer association between PC0004 and PC0006.
-
-5. On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
-
-6. On the **Data Preview** page, click **Next**.
-
-7. On the **Choose Target Collection** page, select the **Install Windows 10 Enterprise x64** collection and click **Next**.
-
-8. On the **Summary** page, click **Next**, and then click **Close**.
-
-9. Select the **User State Migration** node and review the computer association in the right pane.
-
-10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
-
-11. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0006 machine in the collection. You might have to update and refresh the collection again.
-
-## Create a device collection and add the PC0004 computer
-
-
-1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
-
- * General
-
- * Name: USMT Backup (Replace)
-
- * Limited Collection: All Systems
-
- * Membership rules:
-
- * Direct rule
-
- * Resource Class: System Resource
-
- * Attribute Name: Name
-
- * Value: PC0004
-
- * Select **Resources**
-
- * Select **PC0004**
-
-2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
-
-## Create a new deployment
-
-
-Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
-
-- General
-
- - Collection: USMT Backup (Replace)
-
-- Deployment Settings
-
- - Purpose: Available
-
- - Make available to the following: Only Configuration Manager Clients
-
-- Scheduling
-
- - <default>
-
-- User Experience
-
- - <default>
-
-- Alerts
-
- - <default>
-
-- Distribution Points
-
- - <default>
-
-## Verify the backup
-
-
-This section assumes that you have a machine named PC0004 with the Configuration Manager 2012 client installed.
-
-1. Start the PC0004 machine, and using the Control Panel, start the Configuration Manager applet.
-
-2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
-
- >[!NOTE]
- >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
-
-3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
-
-4. In the **Software Center** dialog box, click **INSTALL OPERATING SYSTEM**.
-
-5. Allow the Replace Task Sequence to complete. It should only take about five minutes.
-
-6. On CM01, in the **D:\\MigData** folder, verify that a folder was created containing the USMT backup.
-
-7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
-
- >[!NOTE]
- >It may take a few minutes for the user state store location to be populated.
-
-
-
-## Deploy the new computer
-
-
-1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
-
- * Password: P@ssw0rd
-
- * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
-
-2. The setup now starts and does the following:
-
- * Installs the Windows 10 operating system
-
- * Installs the Configuration Manager client
-
- * Joins it to the domain
-
- * Installs the applications
-
- * Restores the PC0004 backup
-
-When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index 8fc3e2cdc1..4680e56b08 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -30,7 +30,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
diff --git a/windows/deployment/images/ContosoBackground.bmp b/windows/deployment/images/ContosoBackground.bmp
new file mode 100644
index 0000000000..99c9e7c8eb
Binary files /dev/null and b/windows/deployment/images/ContosoBackground.bmp differ
diff --git a/windows/deployment/images/ContosoBackground.png b/windows/deployment/images/ContosoBackground.png
new file mode 100644
index 0000000000..12a04f0e83
Binary files /dev/null and b/windows/deployment/images/ContosoBackground.png differ
diff --git a/windows/deployment/images/cm-upgrade-ts.png b/windows/deployment/images/cm-upgrade-ts.png
new file mode 100644
index 0000000000..15c6b04400
Binary files /dev/null and b/windows/deployment/images/cm-upgrade-ts.png differ
diff --git a/windows/deployment/images/cm01-content-status1.png b/windows/deployment/images/cm01-content-status1.png
new file mode 100644
index 0000000000..2aa9f3bce1
Binary files /dev/null and b/windows/deployment/images/cm01-content-status1.png differ
diff --git a/windows/deployment/images/cm01-drivers-packages.png b/windows/deployment/images/cm01-drivers-packages.png
new file mode 100644
index 0000000000..9453c20588
Binary files /dev/null and b/windows/deployment/images/cm01-drivers-packages.png differ
diff --git a/windows/deployment/images/cm01-drivers-windows.png b/windows/deployment/images/cm01-drivers-windows.png
new file mode 100644
index 0000000000..16a6c031c7
Binary files /dev/null and b/windows/deployment/images/cm01-drivers-windows.png differ
diff --git a/windows/deployment/images/cm01-drivers.png b/windows/deployment/images/cm01-drivers.png
new file mode 100644
index 0000000000..57de49530b
Binary files /dev/null and b/windows/deployment/images/cm01-drivers.png differ
diff --git a/windows/deployment/images/sccm-asset.PNG b/windows/deployment/images/configmgr-asset.png
similarity index 100%
rename from windows/deployment/images/sccm-asset.PNG
rename to windows/deployment/images/configmgr-asset.png
diff --git a/windows/deployment/images/configmgr-assets.PNG b/windows/deployment/images/configmgr-assets.PNG
new file mode 100644
index 0000000000..ac315148c5
Binary files /dev/null and b/windows/deployment/images/configmgr-assets.PNG differ
diff --git a/windows/deployment/images/configmgr-assets.png b/windows/deployment/images/configmgr-assets.png
new file mode 100644
index 0000000000..ac315148c5
Binary files /dev/null and b/windows/deployment/images/configmgr-assets.png differ
diff --git a/windows/deployment/images/sccm-client.PNG b/windows/deployment/images/configmgr-client.PNG
similarity index 100%
rename from windows/deployment/images/sccm-client.PNG
rename to windows/deployment/images/configmgr-client.PNG
diff --git a/windows/deployment/images/sccm-collection.PNG b/windows/deployment/images/configmgr-collection.PNG
similarity index 100%
rename from windows/deployment/images/sccm-collection.PNG
rename to windows/deployment/images/configmgr-collection.PNG
diff --git a/windows/deployment/images/sccm-install-os.PNG b/windows/deployment/images/configmgr-install-os.PNG
similarity index 100%
rename from windows/deployment/images/sccm-install-os.PNG
rename to windows/deployment/images/configmgr-install-os.PNG
diff --git a/windows/deployment/images/sccm-post-refresh.PNG b/windows/deployment/images/configmgr-post-refresh.PNG
similarity index 100%
rename from windows/deployment/images/sccm-post-refresh.PNG
rename to windows/deployment/images/configmgr-post-refresh.PNG
diff --git a/windows/deployment/images/sccm-pxe.PNG b/windows/deployment/images/configmgr-pxe.PNG
similarity index 100%
rename from windows/deployment/images/sccm-pxe.PNG
rename to windows/deployment/images/configmgr-pxe.PNG
diff --git a/windows/deployment/images/sccm-site.PNG b/windows/deployment/images/configmgr-site.PNG
similarity index 100%
rename from windows/deployment/images/sccm-site.PNG
rename to windows/deployment/images/configmgr-site.PNG
diff --git a/windows/deployment/images/sccm-software-cntr.PNG b/windows/deployment/images/configmgr-software-cntr.PNG
similarity index 100%
rename from windows/deployment/images/sccm-software-cntr.PNG
rename to windows/deployment/images/configmgr-software-cntr.PNG
diff --git a/windows/deployment/images/fig16-contentstatus.png b/windows/deployment/images/fig16-contentstatus.png
index 5ea8ba275a..f48490b97d 100644
Binary files a/windows/deployment/images/fig16-contentstatus.png and b/windows/deployment/images/fig16-contentstatus.png differ
diff --git a/windows/deployment/images/fig16-contentstatus1.png b/windows/deployment/images/fig16-contentstatus1.png
new file mode 100644
index 0000000000..32c6023e7c
Binary files /dev/null and b/windows/deployment/images/fig16-contentstatus1.png differ
diff --git a/windows/deployment/images/fig16-contentstatus2.png b/windows/deployment/images/fig16-contentstatus2.png
new file mode 100644
index 0000000000..d28385f4ae
Binary files /dev/null and b/windows/deployment/images/fig16-contentstatus2.png differ
diff --git a/windows/deployment/images/fig18-distwindows.png b/windows/deployment/images/fig18-distwindows.png
index d8525ddd3e..07ff1b74c6 100644
Binary files a/windows/deployment/images/fig18-distwindows.png and b/windows/deployment/images/fig18-distwindows.png differ
diff --git a/windows/deployment/images/fig21-add-drivers1.png b/windows/deployment/images/fig21-add-drivers1.png
new file mode 100644
index 0000000000..79b797a7d3
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers1.png differ
diff --git a/windows/deployment/images/fig21-add-drivers2.png b/windows/deployment/images/fig21-add-drivers2.png
new file mode 100644
index 0000000000..2f18c5b660
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers2.png differ
diff --git a/windows/deployment/images/fig21-add-drivers3.png b/windows/deployment/images/fig21-add-drivers3.png
new file mode 100644
index 0000000000..45f97d0835
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers3.png differ
diff --git a/windows/deployment/images/fig21-add-drivers4.png b/windows/deployment/images/fig21-add-drivers4.png
new file mode 100644
index 0000000000..a6613d8718
Binary files /dev/null and b/windows/deployment/images/fig21-add-drivers4.png differ
diff --git a/windows/deployment/images/fig22-createcategories.png b/windows/deployment/images/fig22-createcategories.png
index 8912ad974f..664ffb2777 100644
Binary files a/windows/deployment/images/fig22-createcategories.png and b/windows/deployment/images/fig22-createcategories.png differ
diff --git a/windows/deployment/images/fig27-driverpackage.png b/windows/deployment/images/fig27-driverpackage.png
index c2f66669be..cfb17d05ba 100644
Binary files a/windows/deployment/images/fig27-driverpackage.png and b/windows/deployment/images/fig27-driverpackage.png differ
diff --git a/windows/deployment/images/fig28-addapp.png b/windows/deployment/images/fig28-addapp.png
index a7ba6b3709..34f6f44519 100644
Binary files a/windows/deployment/images/fig28-addapp.png and b/windows/deployment/images/fig28-addapp.png differ
diff --git a/windows/deployment/images/fig30-settingspack.png b/windows/deployment/images/fig30-settingspack.png
index 3479184140..4dd820aadf 100644
Binary files a/windows/deployment/images/fig30-settingspack.png and b/windows/deployment/images/fig30-settingspack.png differ
diff --git a/windows/deployment/images/fig32-deploywiz.png b/windows/deployment/images/fig32-deploywiz.png
index a1387b19d8..ad5052af7d 100644
Binary files a/windows/deployment/images/fig32-deploywiz.png and b/windows/deployment/images/fig32-deploywiz.png differ
diff --git a/windows/deployment/images/mdt-06-fig06.png b/windows/deployment/images/mdt-06-fig06.png
index 324c8960c1..69e2b89c1e 100644
Binary files a/windows/deployment/images/mdt-06-fig06.png and b/windows/deployment/images/mdt-06-fig06.png differ
diff --git a/windows/deployment/images/mdt-06-fig08.png b/windows/deployment/images/mdt-06-fig08.png
index 33cb90327a..25c8a0a445 100644
Binary files a/windows/deployment/images/mdt-06-fig08.png and b/windows/deployment/images/mdt-06-fig08.png differ
diff --git a/windows/deployment/images/mdt-06-fig10.png b/windows/deployment/images/mdt-06-fig10.png
index 1d92505b96..85b448ba87 100644
Binary files a/windows/deployment/images/mdt-06-fig10.png and b/windows/deployment/images/mdt-06-fig10.png differ
diff --git a/windows/deployment/images/mdt-06-fig12.png b/windows/deployment/images/mdt-06-fig12.png
index f33eca6174..a427be3f1d 100644
Binary files a/windows/deployment/images/mdt-06-fig12.png and b/windows/deployment/images/mdt-06-fig12.png differ
diff --git a/windows/deployment/images/mdt-06-fig13.png b/windows/deployment/images/mdt-06-fig13.png
index ab578f69fe..a9f020b0da 100644
Binary files a/windows/deployment/images/mdt-06-fig13.png and b/windows/deployment/images/mdt-06-fig13.png differ
diff --git a/windows/deployment/images/mdt-06-fig14.png b/windows/deployment/images/mdt-06-fig14.png
index 13158231fd..1d06c9c7e2 100644
Binary files a/windows/deployment/images/mdt-06-fig14.png and b/windows/deployment/images/mdt-06-fig14.png differ
diff --git a/windows/deployment/images/mdt-06-fig15.png b/windows/deployment/images/mdt-06-fig15.png
index 2f1a0eba18..ffa5890a84 100644
Binary files a/windows/deployment/images/mdt-06-fig15.png and b/windows/deployment/images/mdt-06-fig15.png differ
diff --git a/windows/deployment/images/mdt-06-fig16.png b/windows/deployment/images/mdt-06-fig16.png
index 40cb46adbd..f448782602 100644
Binary files a/windows/deployment/images/mdt-06-fig16.png and b/windows/deployment/images/mdt-06-fig16.png differ
diff --git a/windows/deployment/images/mdt-06-fig20.png b/windows/deployment/images/mdt-06-fig20.png
index 475fad7597..890c421227 100644
Binary files a/windows/deployment/images/mdt-06-fig20.png and b/windows/deployment/images/mdt-06-fig20.png differ
diff --git a/windows/deployment/images/mdt-06-fig21.png b/windows/deployment/images/mdt-06-fig21.png
index 7cbd1d20bc..07b168ab89 100644
Binary files a/windows/deployment/images/mdt-06-fig21.png and b/windows/deployment/images/mdt-06-fig21.png differ
diff --git a/windows/deployment/images/mdt-06-fig31.png b/windows/deployment/images/mdt-06-fig31.png
index 5e98d623b1..306f4a7980 100644
Binary files a/windows/deployment/images/mdt-06-fig31.png and b/windows/deployment/images/mdt-06-fig31.png differ
diff --git a/windows/deployment/images/mdt-06-fig33.png b/windows/deployment/images/mdt-06-fig33.png
index 18ae4c82dd..1529426830 100644
Binary files a/windows/deployment/images/mdt-06-fig33.png and b/windows/deployment/images/mdt-06-fig33.png differ
diff --git a/windows/deployment/images/mdt-06-fig42.png b/windows/deployment/images/mdt-06-fig42.png
index 12b0e6817a..e9cfe36083 100644
Binary files a/windows/deployment/images/mdt-06-fig42.png and b/windows/deployment/images/mdt-06-fig42.png differ
diff --git a/windows/deployment/images/mdt-06-fig43.png b/windows/deployment/images/mdt-06-fig43.png
index 015edd21e3..c9a2c88306 100644
Binary files a/windows/deployment/images/mdt-06-fig43.png and b/windows/deployment/images/mdt-06-fig43.png differ
diff --git a/windows/deployment/images/pc0001-monitor.png b/windows/deployment/images/pc0001-monitor.png
new file mode 100644
index 0000000000..7ba8e198bf
Binary files /dev/null and b/windows/deployment/images/pc0001-monitor.png differ
diff --git a/windows/deployment/images/pc0001a.png b/windows/deployment/images/pc0001a.png
new file mode 100644
index 0000000000..0f2be5a865
Binary files /dev/null and b/windows/deployment/images/pc0001a.png differ
diff --git a/windows/deployment/images/pc0001b.png b/windows/deployment/images/pc0001b.png
new file mode 100644
index 0000000000..456f6071a9
Binary files /dev/null and b/windows/deployment/images/pc0001b.png differ
diff --git a/windows/deployment/images/pc0001c.png b/windows/deployment/images/pc0001c.png
new file mode 100644
index 0000000000..d093e58d0a
Binary files /dev/null and b/windows/deployment/images/pc0001c.png differ
diff --git a/windows/deployment/images/pc0001d.png b/windows/deployment/images/pc0001d.png
new file mode 100644
index 0000000000..14f14a2e91
Binary files /dev/null and b/windows/deployment/images/pc0001d.png differ
diff --git a/windows/deployment/images/pc0001e.png b/windows/deployment/images/pc0001e.png
new file mode 100644
index 0000000000..41264f2c63
Binary files /dev/null and b/windows/deployment/images/pc0001e.png differ
diff --git a/windows/deployment/images/pc0001f.png b/windows/deployment/images/pc0001f.png
new file mode 100644
index 0000000000..8261c40953
Binary files /dev/null and b/windows/deployment/images/pc0001f.png differ
diff --git a/windows/deployment/images/pc0001g.png b/windows/deployment/images/pc0001g.png
new file mode 100644
index 0000000000..5fd7f8a4a7
Binary files /dev/null and b/windows/deployment/images/pc0001g.png differ
diff --git a/windows/deployment/images/pc0001h.png b/windows/deployment/images/pc0001h.png
new file mode 100644
index 0000000000..65bead5840
Binary files /dev/null and b/windows/deployment/images/pc0001h.png differ
diff --git a/windows/deployment/images/pc0001i.png b/windows/deployment/images/pc0001i.png
new file mode 100644
index 0000000000..76247a04df
Binary files /dev/null and b/windows/deployment/images/pc0001i.png differ
diff --git a/windows/deployment/images/pc0001j.png b/windows/deployment/images/pc0001j.png
new file mode 100644
index 0000000000..01d8fe22b7
Binary files /dev/null and b/windows/deployment/images/pc0001j.png differ
diff --git a/windows/deployment/images/pc0001k.png b/windows/deployment/images/pc0001k.png
new file mode 100644
index 0000000000..1f591d5164
Binary files /dev/null and b/windows/deployment/images/pc0001k.png differ
diff --git a/windows/deployment/images/pc0001l.png b/windows/deployment/images/pc0001l.png
new file mode 100644
index 0000000000..a2d491cef7
Binary files /dev/null and b/windows/deployment/images/pc0001l.png differ
diff --git a/windows/deployment/images/pc0001m.png b/windows/deployment/images/pc0001m.png
new file mode 100644
index 0000000000..d9e07b5d8a
Binary files /dev/null and b/windows/deployment/images/pc0001m.png differ
diff --git a/windows/deployment/images/pc0001n.png b/windows/deployment/images/pc0001n.png
new file mode 100644
index 0000000000..10819a15d9
Binary files /dev/null and b/windows/deployment/images/pc0001n.png differ
diff --git a/windows/deployment/images/pc0003a.png b/windows/deployment/images/pc0003a.png
new file mode 100644
index 0000000000..31d8d4068c
Binary files /dev/null and b/windows/deployment/images/pc0003a.png differ
diff --git a/windows/deployment/images/pc0003b.png b/windows/deployment/images/pc0003b.png
new file mode 100644
index 0000000000..8df2b066e6
Binary files /dev/null and b/windows/deployment/images/pc0003b.png differ
diff --git a/windows/deployment/images/pc0003c.png b/windows/deployment/images/pc0003c.png
new file mode 100644
index 0000000000..69db9cc567
Binary files /dev/null and b/windows/deployment/images/pc0003c.png differ
diff --git a/windows/deployment/images/pc0003d.png b/windows/deployment/images/pc0003d.png
new file mode 100644
index 0000000000..d36e293f74
Binary files /dev/null and b/windows/deployment/images/pc0003d.png differ
diff --git a/windows/deployment/images/pc0003e.png b/windows/deployment/images/pc0003e.png
new file mode 100644
index 0000000000..09be89ba61
Binary files /dev/null and b/windows/deployment/images/pc0003e.png differ
diff --git a/windows/deployment/images/pc0003f.png b/windows/deployment/images/pc0003f.png
new file mode 100644
index 0000000000..6f48f797df
Binary files /dev/null and b/windows/deployment/images/pc0003f.png differ
diff --git a/windows/deployment/images/pc0003g.png b/windows/deployment/images/pc0003g.png
new file mode 100644
index 0000000000..a5a935de32
Binary files /dev/null and b/windows/deployment/images/pc0003g.png differ
diff --git a/windows/deployment/images/pc0003h.png b/windows/deployment/images/pc0003h.png
new file mode 100644
index 0000000000..9e15738b48
Binary files /dev/null and b/windows/deployment/images/pc0003h.png differ
diff --git a/windows/deployment/images/pc0003i.png b/windows/deployment/images/pc0003i.png
new file mode 100644
index 0000000000..7c7b194399
Binary files /dev/null and b/windows/deployment/images/pc0003i.png differ
diff --git a/windows/deployment/images/pc0003j.png b/windows/deployment/images/pc0003j.png
new file mode 100644
index 0000000000..b446bff1c2
Binary files /dev/null and b/windows/deployment/images/pc0003j.png differ
diff --git a/windows/deployment/images/pc0003k.png b/windows/deployment/images/pc0003k.png
new file mode 100644
index 0000000000..ceead7b05b
Binary files /dev/null and b/windows/deployment/images/pc0003k.png differ
diff --git a/windows/deployment/images/pc0004-a.png b/windows/deployment/images/pc0004-a.png
new file mode 100644
index 0000000000..afe954d28f
Binary files /dev/null and b/windows/deployment/images/pc0004-a.png differ
diff --git a/windows/deployment/images/pc0004-b.png b/windows/deployment/images/pc0004-b.png
new file mode 100644
index 0000000000..caad109ace
Binary files /dev/null and b/windows/deployment/images/pc0004-b.png differ
diff --git a/windows/deployment/images/pc0004-c.png b/windows/deployment/images/pc0004-c.png
new file mode 100644
index 0000000000..21490d55a3
Binary files /dev/null and b/windows/deployment/images/pc0004-c.png differ
diff --git a/windows/deployment/images/pc0004-d.png b/windows/deployment/images/pc0004-d.png
new file mode 100644
index 0000000000..db10b4ccdc
Binary files /dev/null and b/windows/deployment/images/pc0004-d.png differ
diff --git a/windows/deployment/images/pc0004-e.png b/windows/deployment/images/pc0004-e.png
new file mode 100644
index 0000000000..d6472a4209
Binary files /dev/null and b/windows/deployment/images/pc0004-e.png differ
diff --git a/windows/deployment/images/pc0004-f.png b/windows/deployment/images/pc0004-f.png
new file mode 100644
index 0000000000..7752a700e0
Binary files /dev/null and b/windows/deployment/images/pc0004-f.png differ
diff --git a/windows/deployment/images/pc0004-g.png b/windows/deployment/images/pc0004-g.png
new file mode 100644
index 0000000000..93b4812149
Binary files /dev/null and b/windows/deployment/images/pc0004-g.png differ
diff --git a/windows/deployment/images/pc0004b.png b/windows/deployment/images/pc0004b.png
new file mode 100644
index 0000000000..f1fb129bbe
Binary files /dev/null and b/windows/deployment/images/pc0004b.png differ
diff --git a/windows/deployment/images/pc0006a.png b/windows/deployment/images/pc0006a.png
new file mode 100644
index 0000000000..399f99885f
Binary files /dev/null and b/windows/deployment/images/pc0006a.png differ
diff --git a/windows/deployment/images/pc0006b.png b/windows/deployment/images/pc0006b.png
new file mode 100644
index 0000000000..bef284d211
Binary files /dev/null and b/windows/deployment/images/pc0006b.png differ
diff --git a/windows/deployment/images/pc0006c.png b/windows/deployment/images/pc0006c.png
new file mode 100644
index 0000000000..1e8f075262
Binary files /dev/null and b/windows/deployment/images/pc0006c.png differ
diff --git a/windows/deployment/images/pc0006d.png b/windows/deployment/images/pc0006d.png
new file mode 100644
index 0000000000..dca5a58c2a
Binary files /dev/null and b/windows/deployment/images/pc0006d.png differ
diff --git a/windows/deployment/images/pc0006e.png b/windows/deployment/images/pc0006e.png
new file mode 100644
index 0000000000..3b3ef3be99
Binary files /dev/null and b/windows/deployment/images/pc0006e.png differ
diff --git a/windows/deployment/images/pc0006f.png b/windows/deployment/images/pc0006f.png
new file mode 100644
index 0000000000..8da05473b3
Binary files /dev/null and b/windows/deployment/images/pc0006f.png differ
diff --git a/windows/deployment/images/pc0006g.png b/windows/deployment/images/pc0006g.png
new file mode 100644
index 0000000000..0cc69e2626
Binary files /dev/null and b/windows/deployment/images/pc0006g.png differ
diff --git a/windows/deployment/images/pc0006h.png b/windows/deployment/images/pc0006h.png
new file mode 100644
index 0000000000..3ae86b01ed
Binary files /dev/null and b/windows/deployment/images/pc0006h.png differ
diff --git a/windows/deployment/images/pc0006i.png b/windows/deployment/images/pc0006i.png
new file mode 100644
index 0000000000..42c8e2adfa
Binary files /dev/null and b/windows/deployment/images/pc0006i.png differ
diff --git a/windows/deployment/images/ps100009-1.png b/windows/deployment/images/ps100009-1.png
new file mode 100644
index 0000000000..6bd970c352
Binary files /dev/null and b/windows/deployment/images/ps100009-1.png differ
diff --git a/windows/deployment/images/ps100009-2.png b/windows/deployment/images/ps100009-2.png
new file mode 100644
index 0000000000..e960ad91d4
Binary files /dev/null and b/windows/deployment/images/ps100009-2.png differ
diff --git a/windows/deployment/images/ref-image.png b/windows/deployment/images/ref-image.png
new file mode 100644
index 0000000000..773a21e150
Binary files /dev/null and b/windows/deployment/images/ref-image.png differ
diff --git a/windows/deployment/images/sccm-assets.PNG b/windows/deployment/images/sccm-assets.PNG
deleted file mode 100644
index 264606c2ab..0000000000
Binary files a/windows/deployment/images/sccm-assets.PNG and /dev/null differ
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 4414c1e8fe..2d316a4b7f 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -27,7 +27,7 @@ sections:
- href: windows-10-deployment-scenarios
html:
-
"
@@ -89,7 +89,7 @@ sections:
[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) Check out the new Modern Deskop Deployment Center and discover content to help you with your Windows 10 and Office 365 ProPlus deployments.
+ [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) Check out the new Modern Deskop Deployment Center and discover content to help you with your Windows 10 and Microsoft 365 Apps for enterprise deployments.
[What's new in Windows 10 deployment](deploy-whats-new.md) See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization.
[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.
[Windows Autopilot](windows-autopilot/windows-autopilot.md) Windows Autopilot enables an IT department to pre-configure new devices and repurpose existing devices with a simple process that requires little to no infrastructure.
@@ -65,10 +65,10 @@ sections:
[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) This topic provides information about support for upgrading from one edition of Windows 10 to another.
[Windows 10 volume license media](windows-10-media.md) This topic provides information about media available in the Microsoft Volume Licensing Service Center.
[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
- [Windows 10 deployment test lab](windows-10-poc.md) This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md).
+ [Windows 10 deployment test lab](windows-10-poc.md) This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md).
[Plan for Windows 10 deployment](planning/index.md) This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning.
[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or.
+ [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-cm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or.
[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more.
[Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile.
[Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune.
[Deploy Windows 10 updates using Windows Server Update Services (WSUS)](update/waas-manage-updates-wsus.md) Explains how to use WSUS to manage Windows 10 updates.
- [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) Explains how to use Configuration Manager to manage Windows 10 updates.
+ [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](update/waas-manage-updates-configuration-manager.md) Explains how to use Configuration Manager to manage Windows 10 updates.
[Manage device restarts after updates](update/waas-restart.md) Explains how to manage update related device restarts.
[Manage additional Windows Update settings](update/waas-wu-settings.md) Provides details about settings available to control and configure Windows Update.
[Windows Insider Program for Business](update/waas-windows-insider-for-business.md) Explains how the Windows Insider Program for Business works and how to become an insider.
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 5dc23ca66e..45e00f7007 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -233,7 +233,7 @@ The following steps illustrate high-level phases of the MBR-to-GPT conversion pr
1. Disk validation is performed.
2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist.
3. UEFI boot files are installed to the ESP.
-4. GPT metatdata and layout information is applied.
+4. GPT metadata and layout information is applied.
5. The boot configuration data (BCD) store is updated.
6. Drive letter assignments are restored.
@@ -427,6 +427,9 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from
For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window:
+ > [!NOTE]
+ > You can access the ReAgent files if you have installed the User State Migration Tool (USMT) as a feature while installing Windows Assessment and Deployment Kit.
+
**Command 1:**
```cmd
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32"
diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.pdf b/windows/deployment/media/Windows10DeploymentConfigManager.pdf
index ac27941579..3a4c5f022e 100644
Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.pdf and b/windows/deployment/media/Windows10DeploymentConfigManager.pdf differ
diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx
index 5c5328cb5f..8b2db358ff 100644
Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx and b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx differ
diff --git a/windows/deployment/media/windows10-deployment-config-manager.png b/windows/deployment/media/windows10-deployment-config-manager.png
index 9a3ae2b1f5..509e041741 100644
Binary files a/windows/deployment/media/windows10-deployment-config-manager.png and b/windows/deployment/media/windows10-deployment-config-manager.png differ
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index dde951580a..76f55d16c6 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -28,7 +28,7 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
## Related topics
- [Windows 10 servicing options for updates and upgrades](../update/index.md)
- [Deploy Windows 10 with MDT](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Deploy Windows 10 with Configuration Manager and MDT 2013 Update 1](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)
diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
index 08cbf28585..a9f0103eb9 100644
--- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
+++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
@@ -1,6 +1,6 @@
---
title: Prepare your organization for Windows To Go (Windows 10)
-description: Prepare your organization for Windows To Go
+description: Though Windows To Go is no longer being developed, you can find info here about the the “what”, “why”, and “when” of deployment.
ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff
ms.reviewer:
manager: laurawi
@@ -74,7 +74,7 @@ Because Windows To Go requires no additional software and minimal configuration,
Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements.
-Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Office 365 ProPlus, Office 365 ProPlus subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Office 365 ProPlus or Office 365 Enterprise SKUs containing Office 365 ProPlus via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922).
+Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922).
You should investigate other software manufacturer’s licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace.
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index 3276da608a..5a34226e0f 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -21,14 +21,14 @@ The features described below are no longer being actively developed, and might b
**The following list is subject to change and might not include every affected feature or functionality.**
->If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
+> [!NOTE]
+> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
| Hyper-V vSwitch on LBFO | In a future release, the Hyper-V vSwitch will no longer have the capability to be bound to an LBFO team. Instead, it can be bound via [Switch Embedded Teaming](https://docs.microsoft.com/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming#bkmk_sswitchembedded) (SET).| 1909 |
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
-| TSF1/TSF2 IME | TSF1 and TSF2 IME will be replaced by TSF3 IME in a future release. [Text Services Framework](https://docs.microsoft.com/windows/win32/tsf/what-is-text-services-framework) (TSF) enables language technologies. TSF IME are Windows components that you can add to enable typing text for Japanese, Simplified Chinese, Traditional Chinese, and Korean languages. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 |
| Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
@@ -48,7 +48,6 @@ The features described below are no longer being actively developed, and might b
|Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**
The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 |
|IIS 6 Management Compatibility* | We recommend that users use alternative scripting tools and a newer management console. | 1709 |
|IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
-|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
|RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 |
|Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 |
@@ -64,4 +63,4 @@ The features described below are no longer being actively developed, and might b
|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](https://docs.microsoft.com/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](https://docs.microsoft.com/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
|IPsec Task Offload| [IPsec Task Offload](https://docs.microsoft.com/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
-|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quite switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.|
+|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.|
diff --git a/windows/deployment/planning/windows-10-fall-creators-removed-features.md b/windows/deployment/planning/windows-10-fall-creators-removed-features.md
deleted file mode 100644
index 9c2f192856..0000000000
--- a/windows/deployment/planning/windows-10-fall-creators-removed-features.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Windows 10 Fall Creators Update - Features removed or planned for removal
-description: Which features were removed in Windows 10 Fall Creators Update (version 1709)? Which features are we thinking of removing in the future?
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
-author: greg-lindsay
-ms.date: 10/09/2017
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.topic: article
----
-
-# Features removed or planned for replacement starting with Windows 10 Fall Creators Update (version 1709)
-
-> Applies to: Windows 10, version 1709
-
-Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Read on for details about the features and functionalities that we removed in Windows 10 Fall Creators Update (version 1709). This list also includes information about features and functionality that we're considering removing in a future release of Windows 10. This list is intended to make you aware of current and future changes and inform your planning. **The list is subject to change and might not include every affected feature or functionality.**
-
-## Features removed from Windows 10 Fall Creators Update
-
-We've removed the following features and functionalities from the installed product image in Windows 10, version 1709. Applications, code, or usage that depend on these features won't function in this release unless you employ an alternate method.
-
-### 3D Builder
-
-No longer installed by default, [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) is still available for download from the Microsoft Store. You can also consider using Print 3D and Paint 3D in its place.
-
-### APN database (Apndatabase.xml)
-
-Replaced by the Country and Operator Settings Asset (COSA) database. For more information, see the following Hardware Dev Center articles:
-
-- [Planning your COSA/APN database submission](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
-- [COSA – FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq)
-
-### Enhanced Mitigation Experience Toolkit (EMET)
-
-Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details.
-
-### Outlook Express
-
-Removed this non-functional code.
-
-### Reader app
-
-Integrated the Reader functionality into Microsoft Edge.
-
-### Reading list
-
-Integrated the Reading list functionality into Microsoft Edge.
-
-### Resilient File System (ReFS)
-
-We changed the way that ReFS works, based on the edition of Windows 10 you have. We didn't **remove** ReFS, but how you can use ReFS depends on your edition.
-
-If you have Windows 10 Enterprise or Windows 10 Pro for Workstations: You can create, read, and write volumes.
-
-If you have any other edition of Windows 10: You can read and write volumes, but you can't create volumes. If you need to create volumes, upgrade to the Enterprise or Pro for Workstations edition.
-
-### Syskey.exe
-
-Removed this security feature. Instead, we recommend using [BitLocker](/device-security/bitlocker/bitlocker-overview). For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window).
-
-### TCP Offload Engine
-
-Removed this code. The TCP Offload Engine functionality is now available in the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features (KB4014193)?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193/)
-
-### TPM Owner Password Management
-
-Removed this code.
-
-## Features being considered for replacement starting after Windows Fall Creators Update
-
-We are considering removing the following features and functionalities from the installed product image, starting with releases after Windows 10, version 1709. Eventually, we might completely remove them and replace them with other features or functionality (or, in some instances, make them available from different sources). These features and functionalities are *still available* in this release, but **you should begin planning now to either use alternate methods or to replace any applications, code, or usage that depend on these features.**
-
-If you have feedback to share about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
-
-### IIS 6 Management Compatibility
-
-We're considering replacing the following specific DISM features:
-
-- IIS 6 Metabase Compatibility (Web-Metabase)
-- IIS 6 Management Console (Web-Lgcy-Mgmt-Console)
-- IIS 6 Scripting Tools (Web-Lgcy-Scripting)
-- IIS 6 WMI Compatibility (Web-WMI)
-
-Instead of IIS 6 Metabase Compatibility (which acts as an emulation layer between IIS 6-based metabase scripts and the file-based configuration used by IIS 7 or newer versions) you should start migrating management scripts to target IIS file-based configuration directly, by using tools such as the Microsoft.Web.Administration namespace.
-
-You should also start migration from IIS 6.0 or earlier versions, and move to the [latest version of IIS](/iis/get-started/whats-new-in-iis-10/new-features-introduced-in-iis-10).
-
-### IIS Digest Authentication
-
-We're considering removing the IIS Digest Authentication method. Instead, you should start using other authentication methods, such as [Client Certificate Mapping](/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings) or [Windows Authentication](/iis/configuration/system.webServer/security/authentication/windowsAuthentication/).
-
-### Microsoft Paint
-
-We're considering removing MS Paint from the basic installed product image - that means it won't be installed by default. **You'll still be able to get the app separately from the [Microsoft Store](https://www.microsoft.com/store/b/home) for free.** Alternately, you can get [Paint 3D](https://www.microsoft.com/store/p/paint-3d/9nblggh5fv99) and [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) from the Microsoft Store today; both of these offer the same functionality as Microsoft Paint, plus additional features.
-
-### RSA/AES Encryption for IIS
-
-We're considering removing RSA/AES encryption because the superior [Cryptography API: Next Generation (CNG)](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx) method is already available.
-
-### Sync your settings
-
-We're considering making changes to the back-end storage that will affect the sync process: [Enterprise State Roaming](/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview) and all other users will use a single cloud storage system. Both the "Sync your settings" options and the Enterprise State Roaming feature will continue to work.
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 0b58c82162..b5615f4412 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -53,7 +53,7 @@ For System Center Configuration Manager, Windows 10 support is offered with var
> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require Microsoft Endpoint Configuration Manager current branch for supported management.
-For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
## Management tools
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index 3063058112..508cc788a8 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -18,7 +18,7 @@ ms.topic: article
Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10. **The list below is subject to change and might not include every affected feature or functionality.**
-For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md)
+For information about features that might be removed in a future release, see [Windows 10 features we’re no longer developing](windows-10-deprecated-features.md).
> [!NOTE]
> Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself.
@@ -36,7 +36,7 @@ The following features and functionalities have been removed from the installed
|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 |
|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 |
|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
-|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 |
+|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 |
|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 |
|Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 |
|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.
When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.
Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 |
@@ -50,12 +50,13 @@ The following features and functionalities have been removed from the installed
|Reading List | Functionality to be integrated into Microsoft Edge. | 1709 |
|Screen saver functionality in Themes | This functionality is disabled in Themes, and classified as **Removed** in this table. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|Syskey.exe | Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window). | 1709 |
-|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193).| 1709 |
+|TCP Offload Engine | Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| 1709 |
|Tile Data Layer |To be replaced by the Tile Store.| 1709 |
+|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
|Apps Corner| This Windows 10 mobile application is removed in the version 1703 release. | 1703 |
|By default, Flash autorun in Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 |
|Interactive Service Detection Service| See [Interactive Services](https://docs.microsoft.com/windows/win32/services/interactive-services?redirectedfrom=MSDN) for guidance on how to keep software up to date. | 1703 |
|Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 |
|NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 |
|Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 |
-|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
\ No newline at end of file
+|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
index 77f7cfe31a..d888468cfe 100644
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
+++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
@@ -1,6 +1,6 @@
---
title: Windows To Go frequently asked questions (Windows 10)
-description: Windows To Go frequently asked questions
+description: Though Windows To Go is no longer being developed, these frequently asked questions (FAQ) can provide answers about the feature.
ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index 3d5adb42f4..e8a3556632 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -1,6 +1,6 @@
---
title: Windows 10 Pro in S mode
-description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers?
+description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers?
keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@@ -18,33 +18,35 @@ ms.topic: article
---
# Windows 10 in S mode - What is it?
-S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS.
+
+S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS.
## S mode key features
+
**Microsoft-verified security**
-With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware.
+With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware.
**Performance that lasts**
-Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go.
+Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go.
**Choice and flexibility**
-Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
+Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
## Deployment
-Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired.
+Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired.
## Keep line of business apps functioning with Desktop Bridge
-Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode.
+Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode.
## Repackage Win32 apps into the MSIX format
@@ -54,6 +56,6 @@ The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-managem
## Related links
- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
-- [S mode devices](https://www.microsoft.com/windows/view-all-devices)
+- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices)
- [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index 9dbe7740b3..d125672d4a 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -1,6 +1,6 @@
---
-title: Windows 10 - How to make FoD and language packs available when you're using WSUS/SCCM
-description: Learn how to make FoD and language packs available when you're using WSUS/SCCM
+title: Windows 10 - How to make FoD and language packs available when you're using WSUS or Configuration Manager
+description: Learn how to make FoD and language packs available when you're using WSUS or Configuration Manager
ms.prod: w10
ms.mktglfcycl: manage
@@ -14,7 +14,7 @@ ms.reviewer:
manager: laurawi
ms.topic: article
---
-# How to make Features on Demand and language packs available when you're using WSUS/SCCM
+# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
> Applies to: Windows 10
@@ -26,6 +26,6 @@ In Windows 10 version 1709 and 1803, changing the **Specify settings for optiona
In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It’s currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
-For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS or SCCM or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
+For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/).
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index ac597ae387..7284fecba7 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -106,7 +106,7 @@ When users start scanning in Windows Update through the Settings panel, the foll
|MU|7971f918-a847-4430-9279-4a52d1efe18d|
|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289|
|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552|
-|WSUS or SCCM|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 |
+|WSUS or Configuration Manager|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 |
|Offline scan service|Via IUpdateServiceManager::AddScanPackageService|
#### Finds network faults
@@ -117,9 +117,9 @@ Common update failure is caused due to network issues. To find the root of the i
- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting.
> [!NOTE]
- > Warning messages for SLS can be ignored if the search is against WSUS/SCCM.
+ > Warning messages for SLS can be ignored if the search is against WSUS or Configuration Manager.
-- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured.
+- On sites that only use WSUS or Configuration Manager, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS or Configuration Manager, since it’s locally configured.
## Downloading updates
diff --git a/windows/deployment/update/images/UC-vid-crop.jpg b/windows/deployment/update/images/UC-vid-crop.jpg
deleted file mode 100644
index 47e74febbc..0000000000
Binary files a/windows/deployment/update/images/UC-vid-crop.jpg and /dev/null differ
diff --git a/windows/deployment/update/images/UC_00_marketplace_search.PNG b/windows/deployment/update/images/UC_00_marketplace_search.PNG
deleted file mode 100644
index dcdf25d38a..0000000000
Binary files a/windows/deployment/update/images/UC_00_marketplace_search.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_01_marketplace_create.PNG b/windows/deployment/update/images/UC_01_marketplace_create.PNG
deleted file mode 100644
index 4b34311112..0000000000
Binary files a/windows/deployment/update/images/UC_01_marketplace_create.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_02_workspace_create.PNG b/windows/deployment/update/images/UC_02_workspace_create.PNG
deleted file mode 100644
index ed3eeeebbb..0000000000
Binary files a/windows/deployment/update/images/UC_02_workspace_create.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_03_workspace_select.PNG b/windows/deployment/update/images/UC_03_workspace_select.PNG
deleted file mode 100644
index d00864b861..0000000000
Binary files a/windows/deployment/update/images/UC_03_workspace_select.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG b/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG
deleted file mode 100644
index 3ea9f57531..0000000000
Binary files a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/UC_commercialID.png b/windows/deployment/update/images/UC_commercialID.png
deleted file mode 100644
index 6896be03e6..0000000000
Binary files a/windows/deployment/update/images/UC_commercialID.png and /dev/null differ
diff --git a/windows/deployment/update/images/UC_commercialID_GP.png b/windows/deployment/update/images/UC_commercialID_GP.png
deleted file mode 100644
index 95d92cf6df..0000000000
Binary files a/windows/deployment/update/images/UC_commercialID_GP.png and /dev/null differ
diff --git a/windows/deployment/update/images/UC_telemetrylevel.png b/windows/deployment/update/images/UC_telemetrylevel.png
deleted file mode 100644
index a11e68a5f8..0000000000
Binary files a/windows/deployment/update/images/UC_telemetrylevel.png and /dev/null differ
diff --git a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG b/windows/deployment/update/images/UC_workspace_WDAV_status.PNG
deleted file mode 100644
index 40dcaef949..0000000000
Binary files a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-01-wdav.png b/windows/deployment/update/images/uc-01-wdav.png
deleted file mode 100644
index c0ef37ebc6..0000000000
Binary files a/windows/deployment/update/images/uc-01-wdav.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-01.png b/windows/deployment/update/images/uc-01.png
deleted file mode 100644
index 7f4df9f6d7..0000000000
Binary files a/windows/deployment/update/images/uc-01.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-02.png b/windows/deployment/update/images/uc-02.png
deleted file mode 100644
index 8317f051c3..0000000000
Binary files a/windows/deployment/update/images/uc-02.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-02a.png b/windows/deployment/update/images/uc-02a.png
deleted file mode 100644
index d12544e3a0..0000000000
Binary files a/windows/deployment/update/images/uc-02a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-03.png b/windows/deployment/update/images/uc-03.png
deleted file mode 100644
index 58494c4128..0000000000
Binary files a/windows/deployment/update/images/uc-03.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-03a.png b/windows/deployment/update/images/uc-03a.png
deleted file mode 100644
index 39412fc8f3..0000000000
Binary files a/windows/deployment/update/images/uc-03a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-04.png b/windows/deployment/update/images/uc-04.png
deleted file mode 100644
index ef9a37d379..0000000000
Binary files a/windows/deployment/update/images/uc-04.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-04a.png b/windows/deployment/update/images/uc-04a.png
deleted file mode 100644
index 537d4bbe72..0000000000
Binary files a/windows/deployment/update/images/uc-04a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-05.png b/windows/deployment/update/images/uc-05.png
deleted file mode 100644
index 21c8e9f9e0..0000000000
Binary files a/windows/deployment/update/images/uc-05.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-05a.png b/windows/deployment/update/images/uc-05a.png
deleted file mode 100644
index 2271181622..0000000000
Binary files a/windows/deployment/update/images/uc-05a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-06.png b/windows/deployment/update/images/uc-06.png
deleted file mode 100644
index 03a559800b..0000000000
Binary files a/windows/deployment/update/images/uc-06.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-06a.png b/windows/deployment/update/images/uc-06a.png
deleted file mode 100644
index 15df1cfea0..0000000000
Binary files a/windows/deployment/update/images/uc-06a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-07.png b/windows/deployment/update/images/uc-07.png
deleted file mode 100644
index de1ae35e82..0000000000
Binary files a/windows/deployment/update/images/uc-07.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-07a.png b/windows/deployment/update/images/uc-07a.png
deleted file mode 100644
index c0f2d9fd73..0000000000
Binary files a/windows/deployment/update/images/uc-07a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-08.png b/windows/deployment/update/images/uc-08.png
deleted file mode 100644
index 877fcd64c0..0000000000
Binary files a/windows/deployment/update/images/uc-08.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-08a.png b/windows/deployment/update/images/uc-08a.png
deleted file mode 100644
index 89da287d3d..0000000000
Binary files a/windows/deployment/update/images/uc-08a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-09.png b/windows/deployment/update/images/uc-09.png
deleted file mode 100644
index 37d7114f19..0000000000
Binary files a/windows/deployment/update/images/uc-09.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-09a.png b/windows/deployment/update/images/uc-09a.png
deleted file mode 100644
index f6b6ec5b60..0000000000
Binary files a/windows/deployment/update/images/uc-09a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-10.png b/windows/deployment/update/images/uc-10.png
deleted file mode 100644
index ea065590b9..0000000000
Binary files a/windows/deployment/update/images/uc-10.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-10a.png b/windows/deployment/update/images/uc-10a.png
deleted file mode 100644
index 1c6b8b01dc..0000000000
Binary files a/windows/deployment/update/images/uc-10a.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-11.png b/windows/deployment/update/images/uc-11.png
deleted file mode 100644
index 8b4fc568ea..0000000000
Binary files a/windows/deployment/update/images/uc-11.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-12.png b/windows/deployment/update/images/uc-12.png
deleted file mode 100644
index 4198684c99..0000000000
Binary files a/windows/deployment/update/images/uc-12.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-13.png b/windows/deployment/update/images/uc-13.png
deleted file mode 100644
index 117f9b9fd8..0000000000
Binary files a/windows/deployment/update/images/uc-13.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-14.png b/windows/deployment/update/images/uc-14.png
deleted file mode 100644
index 66047984e7..0000000000
Binary files a/windows/deployment/update/images/uc-14.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-15.png b/windows/deployment/update/images/uc-15.png
deleted file mode 100644
index c241cd9117..0000000000
Binary files a/windows/deployment/update/images/uc-15.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-16.png b/windows/deployment/update/images/uc-16.png
deleted file mode 100644
index e7aff4d4ed..0000000000
Binary files a/windows/deployment/update/images/uc-16.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-17.png b/windows/deployment/update/images/uc-17.png
deleted file mode 100644
index cb8e42ca5e..0000000000
Binary files a/windows/deployment/update/images/uc-17.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-18.png b/windows/deployment/update/images/uc-18.png
deleted file mode 100644
index 5eff59adc9..0000000000
Binary files a/windows/deployment/update/images/uc-18.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-19.png b/windows/deployment/update/images/uc-19.png
deleted file mode 100644
index 791900eafc..0000000000
Binary files a/windows/deployment/update/images/uc-19.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-20.png b/windows/deployment/update/images/uc-20.png
deleted file mode 100644
index 7dbb027b9f..0000000000
Binary files a/windows/deployment/update/images/uc-20.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-21.png b/windows/deployment/update/images/uc-21.png
deleted file mode 100644
index 418db41fe4..0000000000
Binary files a/windows/deployment/update/images/uc-21.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-22.png b/windows/deployment/update/images/uc-22.png
deleted file mode 100644
index 2ca5c47a61..0000000000
Binary files a/windows/deployment/update/images/uc-22.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-23.png b/windows/deployment/update/images/uc-23.png
deleted file mode 100644
index 58b82db82d..0000000000
Binary files a/windows/deployment/update/images/uc-23.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-24.png b/windows/deployment/update/images/uc-24.png
deleted file mode 100644
index 00bc61e3e1..0000000000
Binary files a/windows/deployment/update/images/uc-24.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-25.png b/windows/deployment/update/images/uc-25.png
deleted file mode 100644
index 4e0f0bdb03..0000000000
Binary files a/windows/deployment/update/images/uc-25.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-DO-status.png b/windows/deployment/update/images/uc-DO-status.png
deleted file mode 100644
index d4b47be324..0000000000
Binary files a/windows/deployment/update/images/uc-DO-status.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-emptyworkspacetile.PNG b/windows/deployment/update/images/uc-emptyworkspacetile.PNG
deleted file mode 100644
index 24c37d4279..0000000000
Binary files a/windows/deployment/update/images/uc-emptyworkspacetile.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-featureupdatestatus.PNG b/windows/deployment/update/images/uc-featureupdatestatus.PNG
deleted file mode 100644
index ae6a38502f..0000000000
Binary files a/windows/deployment/update/images/uc-featureupdatestatus.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-filledworkspacetile.PNG b/windows/deployment/update/images/uc-filledworkspacetile.PNG
deleted file mode 100644
index 7293578b1a..0000000000
Binary files a/windows/deployment/update/images/uc-filledworkspacetile.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-filledworkspaceview.PNG b/windows/deployment/update/images/uc-filledworkspaceview.PNG
deleted file mode 100644
index 8d99e52e02..0000000000
Binary files a/windows/deployment/update/images/uc-filledworkspaceview.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-needattentionoverview.PNG b/windows/deployment/update/images/uc-needattentionoverview.PNG
deleted file mode 100644
index 50b6d04699..0000000000
Binary files a/windows/deployment/update/images/uc-needattentionoverview.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-overviewblade.PNG b/windows/deployment/update/images/uc-overviewblade.PNG
deleted file mode 100644
index dca364daf6..0000000000
Binary files a/windows/deployment/update/images/uc-overviewblade.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png b/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png
deleted file mode 100644
index f52087a4a7..0000000000
Binary files a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png and /dev/null differ
diff --git a/windows/deployment/update/images/uc-securityupdatestatus.PNG b/windows/deployment/update/images/uc-securityupdatestatus.PNG
deleted file mode 100644
index 75e9d10fd8..0000000000
Binary files a/windows/deployment/update/images/uc-securityupdatestatus.PNG and /dev/null differ
diff --git a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG b/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG
deleted file mode 100644
index e3f6990348..0000000000
Binary files a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG and /dev/null differ
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 06ca9774d4..6c8417f572 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -48,5 +48,5 @@ Windows as a service provides a new way to think about building, deploying, and
>[!TIP]
>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
+>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 6f79f71c7e..8af36e4df1 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -8,7 +8,7 @@ itproauthor: jaimeo
author: SteveDiAcetis
ms.localizationpriority: medium
ms.author: jaimeo
-ms.reviewer:
+ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
@@ -42,7 +42,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
-The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the s. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
+The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
|To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) |
@@ -88,7 +88,7 @@ The main operating system file (install.wim) contains multiple editions of Windo
### Additional languages and features
-You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
+You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
@@ -108,7 +108,7 @@ These examples are for illustration only, and therefore lack error handling. The
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
```
-function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
+function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
Write-Host "$(Get-TS): Starting media refresh"
@@ -121,19 +121,19 @@ $LANG = "ja-jp"
$LANG_FONT_CAPABILITY = "jpan"
# Declare Dynamic Update packages
-$LCU_PATH = “C:\mediaRefresh\packages\LCU.msu”
-$SSU_PATH = “C:\mediaRefresh\packages\SSU_DU.msu”
+$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
+$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu"
$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
-$SAFE_OS_DU_PATH = “C:\mediaRefresh\packages\SafeOS_DU.cab”
-$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu”
+$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\SafeOS_DU.cab"
+$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu"
# Declare folders for mounted images and temp files
$WORKING_PATH = "C:\mediaRefresh\temp"
$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
-$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount”
-$WINRE_MOUNT = $WORKING_PATH + "\WinREMount”
-$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount”
+$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount"
+$WINRE_MOUNT = $WORKING_PATH + "\WinREMount"
+$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount"
# Mount the language pack ISO
Write-Host "$(Get-TS): Mounting LP ISO"
@@ -152,7 +152,7 @@ $OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Cli
# Mount the Features on Demand ISO
Write-Host "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
-$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
+$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
# Create folders for mounting images and storing temporary files
New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
@@ -162,7 +162,7 @@ New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Keep the original media, make a copy of it for the new, updateed media.
Write-Host "$(Get-TS): Copying original media to new media path"
-Copy-Item -Path $MEDIA_OLD_PATH“\*” -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
+Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
### Update WinRE
@@ -177,14 +177,14 @@ It finishes by cleaning and exporting the image to reduce the image size.
```
# Mount the main operating system, used throughout the script
Write-Host "$(Get-TS): Mounting main OS"
-Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim” -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
+Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
#
# update Windows Recovery Environment (WinRE)
#
-Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Destination $WORKING_PATH"\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null
+Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Mounting WinRE"
-Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim” -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
+Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update
Write-Host "$(Get-TS): Adding package $SSU_PATH"
@@ -226,10 +226,10 @@ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
# Add TTS support for the new language
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
+
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
-
+
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
}
@@ -244,35 +244,35 @@ Write-Host "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# Dismount
-Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
+Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
# Export
-Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim”
-Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim” -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\winre2.wim” -Destination $WORKING_PATH"\winre.wim” -Force -ErrorAction stop | Out-Null
+Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
+Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
```
### Update WinPE
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
```
-#
+#
# update Windows Preinstallation Environment (WinPE)
-#
+#
# Get the list of images contained within WinPE
-$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim”
+$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
Foreach ($IMAGE in $WINPE_IMAGES) {
# update WinPE
Write-Host "$(Get-TS): Mounting WinPE"
- Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
+ Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add SSU
Write-Host "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
-
+
# Install lp.cab cab
Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
@@ -287,7 +287,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
if ($INDEX -ge 0) {
-
+
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
@@ -307,10 +307,10 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Add TTS support for the new language
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
+
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
-
+
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
}
@@ -321,7 +321,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
Write-Host "$(Get-TS): Updating lang.ini"
DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
}
-
+
# Add latest cumulative update
Write-Host "$(Get-TS): Adding package $LCU_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
@@ -331,28 +331,28 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# Dismount
- Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null
+ Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null
#Export WinPE
- Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim”
- Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
+ Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
+ Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
}
-Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH“\sources\boot.wim” -Force -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
```
### Update the main operating system
For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
-
+
You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export.
```
-#
+#
# update Main OS
-#
+#
# Add servicing stack update
Write-Host "$(Get-TS): Adding package $SSU_PATH"
@@ -385,20 +385,20 @@ Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOU
# Add latest cumulative update
Write-Host "$(Get-TS): Adding package $LCU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
+Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
# Copy our updated recovery image from earlier into the main OS
-# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file
+# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file
# into each edition to enable single instancing
-Copy-Item -Path $WORKING_PATH"\winre.wim” -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null
+Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
# Perform image cleanup
Write-Host "$(Get-TS): Performing image cleanup on main OS"
DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
#
-# Note: If I wanted to enable additional Optional Components, I'd add these here.
-# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require
+# Note: If I wanted to enable additional Optional Components, I'd add these here.
+# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require
# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
#
@@ -413,9 +413,9 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorActio
Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
# Export
-Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim”
-Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\install.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim” -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\install2.wim” -Destination $MEDIA_NEW_PATH“\sources\install.wim” -Force -ErrorAction stop | Out-Null
+Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
+Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
```
### Update remaining media files
@@ -446,8 +446,7 @@ Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null
# Dismount ISO images
Write-Host "$(Get-TS): Dismounting ISO images"
Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
-Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
+Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Media refresh completed!"
```
-
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
new file mode 100644
index 0000000000..fc22965271
--- /dev/null
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -0,0 +1,77 @@
+---
+title: Manually configuring devices for Update Compliance
+ms.reviewer:
+manager: laurawi
+description: Manually configuring devices for Update Compliance
+keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
+ms.localizationpriority: medium
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Manually Configuring Devices for Update Compliance
+
+There are a number of requirements to consider when manually configuring Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
+
+The requirements are separated into different categories:
+
+1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured.
+2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations.
+3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
+
+## Required policies
+
+> [!NOTE]
+> Windows 10 MDM and Group Policies are backed by registry keys. It is not recommended you set these registry keys directly for configuration as it can lead to unexpected behavior, so the exact registry key locations are not provided, though they are referenced for troubleshooting configuration issues with the [Update Compliance Configuration Script](update-compliance-configuration-script.md).
+
+Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
+
+- **Policy** corresponds to the location and name of the policy.
+- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) telemetry, but can function off Enhanced or Full (or Optional).
+- **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any.
+
+### Mobile Device Management policies
+
+Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details.
+
+| Policy | Value | Function |
+|---------------------------|-|------------------------------------------------------------|
+|**Provider/*ProviderID*/**[**CommercialID**](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
+|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |1- Basic |Configures the maximum allowed telemetry to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. |
+|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | Disable Telemetry opt-in Settings | (*Windows 10 1803+*) Determines whether end-users of the device can adjust telemetry to levels lower than the level defined by AllowTelemetry. It is recommended you disable this policy order the effective telemetry level on devices may not be sufficient. |
+|**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
+
+### Group Policies
+
+All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.
+
+| Policy | Value | Function |
+|---------------------------|-|-----------------------------------------------------------|
+|**Configure the Commercial ID** |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) | Identifies the device as belonging to your organization. |
+|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed telemetry to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. |
+|**Configure telemetry opt-in setting user interface** | Disable telemetry opt-in Settings |(*Windows 10 1803+*) Determines whether end-users of the device can adjust telemetry to levels lower than the level defined by AllowTelemetry. It is recommended you disable this policy order the effective telemetry level on devices may not be sufficient. |
+|**Allow device name to be sent in Windows diagnostic data** | Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
+
+## Required endpoints
+
+To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints.
+
+| **Endpoint** | **Function** |
+|---------------------------------------------------------|-----------|
+| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. Census.exe must run on a regular cadence and contact this endpoint in order to receive the majority of [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md) information for Update Compliance. |
+| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
+| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. |
+| `http://adl.windows.com` | Required for Windows Update functionality. |
+| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. |
+| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. |
+| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. This also requires Microsoft Account Sign-in Assistant service to be running (wlidsvc). |
+
+## Required services
+
+Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
new file mode 100644
index 0000000000..2167039e0c
--- /dev/null
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -0,0 +1,99 @@
+---
+title: Update Compliance Configuration Script
+ms.reviewer:
+manager: laurawi
+description: Downloading and using the Update Compliance Configuration Script
+keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
+ms.localizationpriority: medium
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Configuring devices through the Update Compliance Configuration Script
+
+The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
+
+You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
+
+## How the script is organized
+
+The script is organized into two folders **Pilot** and **Deployment**. Both folders have the same key files: `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the .bat itself, which will then execute `ConfigScript.ps1` with the parameters entered to RunConfig.bat.
+
+- The **Pilot** folder and its contents are intended to be used on an initial set of single devices in specific environments (main office & satellite office, for example) for testing and troubleshooting prior to broader deployment. This script is configured to collect and output detailed logs for every device it runs on.
+- The **Deployment** folder is intended to be deployed across an entire device population in a specific environment once devices in that environment have been validated with the Pilot script.
+
+## How to use the script
+
+### Piloting and Troubleshooting
+
+> [!IMPORTANT]
+> If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support.
+
+When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows:
+
+1. Configure `logPath` to a path where the script will have write access and a place you can easily access. This specifies the output of the log files generated when the script is in Verbose mode.
+2. Configure `commercialIDValue` to your CommercialID. To get your CommercialID, see [Getting your CommercialID](update-compliance-get-started.md#get-your-commercialid).
+3. Run the script. The script must be run in System context.
+4. Examine the Logs output for any issues. If there were issues:
+ - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
+ - Examine the script errors and refer to the [script error reference](#script-error-reference) on how to interpret the codes.
+ - Make the necessary corrections and run the script again.
+5. When you no longer have issues, proceed to using the script for more broad deployment with the `Deployment` folder.
+
+
+### Broad deployment
+
+After verifying on a set of devices in a specific environment that everything is configured correctly, you can proceed to broad deployment.
+
+1. Configure `commercialIDValue` in `RunConfig.bat` to [your CommercialID](update-compliance-get-started.md#get-your-commercialid).
+2. Use a management tool like Configuration Manager or Intune to broadly deploy the script to your entire target population.
+
+## Script Error Reference
+
+|Error |Description |
+|-|-------------------|
+| 27 | Not system account. |
+| 37 | Unexpected exception when collecting logs|
+| 1 | General unexpected error|
+| 6 | Invalid CommercialID|
+| 48 | CommercialID is not a GUID|
+| 8 | Couldn't create registry key path to setup CommercialID|
+| 9 | Couldn't write CommercialID at registry key path|
+| 53 | There are conflicting CommercialID values.|
+| 11 | Unexpected result when setting up CommercialID.|
+| 62 | AllowTelemetry registry key is not of the correct type `REG_DWORD`|
+| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.|
+| 64 | AllowTelemetry is not of the correct type `REG_DWORD`.|
+| 99 | Device is not Windows 10.|
+| 40 | Unexpected exception when checking and setting telemetry.|
+| 12 | CheckVortexConnectivity failed, check Log output for more information.|
+| 12 | Unexpected failure when running CheckVortexConnectivity.|
+| 66 | Failed to verify UTC connectivity and recent uploads.|
+| 67 | Unexpected failure when verifying UTC CSP connectivity of the WMI Bridge.|
+| 41 | Unable to impersonate logged-on user.|
+| 42 | Unexpected exception when attempting to impersonate logged-on user.|
+| 43 | Unexpected exception when attempting to impersonate logged-on user.|
+| 16 | Reboot is pending on device, restart device and restart script.|
+| 17 | Unexpected exception in CheckRebootRequired.|
+| 44 | Error when running CheckDiagTrack service.|
+| 45 | DiagTrack.dll not found.|
+| 50 | DiagTrack service not running.|
+| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.|
+| 55 | Failed to create new registry path for `SetDeviceNameOptIn` of the PowerShell script.|
+| 56 | Failed to create property for `SetDeviceNameOptIn` of the PowerShell script at registry path.|
+| 57 | Failed to update value for `SetDeviceNameOptIn` of the PowerShell script.|
+| 58 | Unexpected exception in `SetDeviceNameOptIn` of the PowerShell script.|
+| 59 | Failed to delete `LastPersistedEventTimeOrFirstBoot` property at registry path when attempting to clean up OneSettings.|
+| 60 | Failed to delete registry key when attempting to clean up OneSettings.|
+| 61 | Unexpected exception when attempting to clean up OneSettings.|
+| 52 | Could not find Census.exe|
+| 51 | Unexpected exception when attempting to run Census.exe|
+| 34 | Unexpected exception when attempting to check Proxy settings.|
+| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.|
+| 35 | Unexpected exception when checking User Proxy.|
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 2d3216901c..5953fcc349 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -2,7 +2,7 @@
title: Update Compliance - Feature Update Status report
ms.reviewer:
manager: laurawi
-description: an overview of the Feature Update Status report
+description: Find the latest status of feature updates with an overview of the Feature Update Status report.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
@@ -37,9 +37,7 @@ Refer to the following list for what each state means:
## Compatibility holds
-Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release.
-
-To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status).
+Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device's upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release.
### Opting out of compatibility hold
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 5e81c8e5a0..4e77a4d513 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -1,8 +1,8 @@
---
-title: Get started with Update Compliance (Windows 10)
+title: Get started with Update Compliance
ms.reviewer:
manager: laurawi
-description: Configure Update Compliance in Azure Portal to see the status of updates and antimalware protection on devices in your network.
+description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance
keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
ms.prod: w10
ms.mktglfcycl: deploy
@@ -16,113 +16,68 @@ ms.topic: article
---
# Get started with Update Compliance
-This topic explains the steps necessary to configure your environment for Update Compliance.
-Steps are provided in sections that follow the recommended setup process:
+This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.
-1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites).
-2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription).
-3. [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance).
-4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and get Delivery Optimization insights.
+1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance.
+2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription.
+3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance.
+
+After adding the solution to Azure and configuring devices, there will be a waiting period of up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
## Update Compliance prerequisites
+
Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
-1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
-2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them.
-3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device.
-4. For Windows 10 1803+, device names will not appear in Update Compliance unless you opt in. The steps to accomplish this is outlined in the [Enroll devices in Update Compliance](#enroll-devices-in-update-compliance) section.
+
+1. **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](https://docs.microsoft.com/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
+2. **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel (SAC) and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them.
+3. **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
+4. **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
+5. **Showing Device Names in Update Compliance**: For Windows 10 1803+, device names will not appear in Update Compliance unless you individually opt-in devices via policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
## Add Update Compliance to your Azure subscription
-Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps:
-1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal.
+Update Compliance is offered as an Azure Marketplace application which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps:
+
+1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You may need to login to your Azure subscription to access this.
+2. Select **Get it now**.
+3. Choose an existing or configure a new Log Analytics Workspace. While an Azure subscription is required, you will not be charged for ingestion of Update Compliance data.
+ - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance.
+ - [Azure Update Management](https://docs.microsoft.com/azure/automation/automation-update-management) customers are advised to use the same workspace for Update Compliance.
+4. After your workspace is configured and selected, select **Create**. You will receive a notification when the solution has been successfully created.
> [!NOTE]
-> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance.
+> It is not currently supported to programmatically enroll to Update Compliance via the [Azure CLI](https://docs.microsoft.com/cli/azure) or otherwise. You must manually add Update Compliance to your Azure subscription.
-2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below.
+### Get your CommercialID
-
+A CommercialID is a globally-unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment.
-3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure.
+To find your CommercialID within Azure:
-
+1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution.
+2. From there, select the Update Compliance Settings page on the navbar.
+3. Your CommercialID is available in the settings page.
-4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution.
- - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance.
- - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started:
- - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
- - For the resource group setting select **Create new** and use the same name you chose for your new workspace.
- - For the location setting, choose the Azure region where you would prefer the data to be stored.
- - For the pricing tier select **per GB**.
-
-
-
-5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**.
-
-
-
-6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**.
-
-
+> [!IMPORTANT]
+> Regenerate your CommercialID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your CommercialID cannot be undone and will result in you losing data for all devices that have the current CommercialID until the new CommercialID is deployed to devices.
## Enroll devices in Update Compliance
-Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are three key steps to ensure successful enrollment:
-### Deploy your Commercial ID to devices
-A Commercial ID is a globally-unique identifier assigned to a specific Log Analytics workspace. This is used to identify devices as part of your environment.
+Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance.
-To find your Commercial ID within Azure:
-1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution.
-2. From there, select the Update Compliance Settings page on the navbar.
-3. Your Commercial ID is available in the settings page.
+> [!NOTE]
+> After configuring devices via one of the two methods below, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices.
-
+### Configure devices using the Update Compliance Configuration Script
->**Important**
->
->Regenerate your Commercial ID only if your Original ID key can no longer be used or if you want to completely reset your workspace. Regenerating your Commercial ID cannot be undone and will result in you losing data for all devices that have the current Commercial ID until the new Commercial ID is deployed to devices.
+The recommended way to configure devices to send data to Update Compliance is using the [Update Compliance Configuration Script](update-compliance-configuration-script.md). The script configures required policies via Group Policy. The script comes with two versions:
-#### Deploying Commercial ID using Group Policy
-Commercial ID can be deployed using Group Policy. The Group Policy for Commercial ID is under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure the Commercial ID**.
+- Pilot is more verbose and is intended to be use on an initial set of devices and for troubleshooting.
+- Deployment is intended to be deployed across the entire device population you want to monitor with Update Compliance.
-
+To download the script and learn what you need to configure and how to troubleshoot errors, see [Configuring Devices using the Update Compliance Configuration Script](update-compliance-configuration-script.md).
-#### Deploying Commercial ID using MDM
-Commercial ID can be deployed through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy beginning with Windows 10, version 1607. Commercial ID is under the [DMClient configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
+### Configure devices manually
-### Ensure endpoints are whitelisted
-To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to whitelist the following endpoints. You may need security group approval to do this.
-
-| **Endpoint** | **Function** |
-|---------------------------------------------------------|-----------|
-| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. |
-| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
-| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. |
-| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
-| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. |
-| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. |
-| `https://login.live.com` | This endpoint is optional but allows for the Update Compliance service to more reliably identify and process devices. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. |
-
-### Set diagnostic data levels
-Update Compliance requires that devices are configured to send Microsoft at least the Basic level of diagnostic data in order to function. For more information on Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
-
-#### Configuring Telemetry level using Group Policy
-You can set Allow Telemetry through Group Policy, this setting is in the same place as the Commercial ID policy, under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry**. Update Compliance requires at least Basic (level 1) to function.
-
-
-
-#### Configuring Telemetry level using MDM
-Telemetry level can additionally be configured through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy. Allow Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry).
-
-### Enabling Device Name in telemetry
-Beginning with Windows 10, version 1803, Device Name is no longer collected as part of normal Windows Diagnostic Data and must explicitly be allowed to be sent to Microsoft. If devices do not have this policy enabled, their device name will appear as '#' instead.
-
-#### Allow Device Name in Telemetry with Group Policy
-Allow Device Name in Telemetry is under the same node as Commercial ID and Allow Telemetry policies in Group Policy, listed as **Allow device name to be sent in Windows diagnostic data**.
-
-#### Allow Device Name in Telemetry with MDM
-Allow Device Name in Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry).
-
->[!NOTE]
->After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices.
\ No newline at end of file
+It is possible to manually configure devices to send data to Update Compliance, but the recommended method of configuration is to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md). To learn more about configuring devices manually, see [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index e1e7e102cc..55e6f693d9 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -18,11 +18,9 @@ ms.topic: article
# Monitor Windows Updates with Update Compliance
> [!IMPORTANT]
-> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates:
->
-> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
-> * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
-
+> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. Two planned feature removals for Update Compliance – Windows Defender Antivirus reporting and Perspectives – are now scheduled to be removed beginning Monday, May 11, 2020.
+> * The retirement of Windows Defender Antivirus reporting will begin Monday, May 11, 2020. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
+> * The Perspectives feature of Update Compliance will be retired Monday, May 11, 2020. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
## Introduction
@@ -34,30 +32,15 @@ Update Compliance enables organizations to:
Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites).
-Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal).
+Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.
See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
-- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
-- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
+- [Get started with Update Compliance](update-compliance-get-started.md) provides directions on adding Update Compliance to your Azure subscription and configuring devices to send data to Update Compliance.
+- [Using Update Compliance](update-compliance-using.md) breaks down every aspect of the Update Compliance experience.
-## Update Compliance architecture
-
-The Update Compliance architecture and data flow follows this process:
-
-1. User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
-2. Diagnostic data is analyzed by the Update Compliance Data Service.
-3. Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
-4. Diagnostic data is available in the Update Compliance solution.
-
-
-> [!NOTE]
-> This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md).
-
-
-
-
## Related topics
-[Get started with Update Compliance](update-compliance-get-started.md)
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
+* [Get started with Update Compliance](update-compliance-get-started.md)
+* [Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
+* [Update Compliance Schema Reference](update-compliance-schema.md)
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index a4b940a236..f17250eec3 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -19,8 +19,8 @@ ms.topic: article
The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section.
->[!NOTE]
->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up.
+> [!NOTE]
+> The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up.
The different issues are broken down by Device Issues and Update Issues:
@@ -35,12 +35,12 @@ The different issues are broken down by Device Issues and Update Issues:
* **Cancelled**: This issue occurs when a user cancels the update process.
* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version.
* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention.
-* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days.
+* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 7 days.
Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue.
->[!NOTE]
->This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful.
+> [!NOTE]
+> This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful.
## List of Queries
diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md
deleted file mode 100644
index b07741ffeb..0000000000
--- a/windows/deployment/update/update-compliance-perspectives.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Update Compliance - Perspectives
-ms.reviewer:
-manager: laurawi
-description: an overview of Update Compliance Perspectives
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
-itproauthor: jaimeo
-author: jaimeo
-ms.author: jaimeo
-ms.collection: M365-analytics
-ms.topic: article
----
-
-# Perspectives
-
-> [!IMPORTANT]
-> On March 31, 2020, the Perspectives feature of Update Compliance will be removed in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
-
-
-
-
-Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance.
-
-There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates.
-
-The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered.
-
-The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any).
-
-## Deployment status
-
-The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows:
-
-| State | Description |
-| --- | --- |
-| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. |
-| In Progress | Devices that report they are "In Progress" are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. |
-| Deferred | When a device's Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. |
-| Progress stalled | Devices that report as "Progress stalled" have been stuck at "In progress" for more than 7 days. |
-| Cancelled | The update was canceled. |
-| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. |
-| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. |
-| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. |
-| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). |
-
-## Detailed deployment status
-
-The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report:
-
-| State | Description |
-| --- | --- |
-| Update deferred | When a device's Windows Update for Business policy dictates the update is deferred. |
-| Update paused | The device's Windows Update for Business policy dictates the update is paused from being offered. |
-| Update offered | The device has been offered the update, but has not begun downloading it. |
-| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. |
-| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) |
-| Download Started | The update has begun downloading on the device. |
-| Download Succeeded | The update has successfully completed downloading. |
-| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. |
-| Install Started | Installation of the update has begun. |
-| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed.
-| Reboot Pending | The device has a scheduled reboot to apply the update. |
-| Reboot Initiated | The scheduled reboot has been initiated. |
-| Update Completed/Commit | The update has successfully installed. |
-
-> [!NOTE]
-> Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking "Not configured (-1)" devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar.
diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md
new file mode 100644
index 0000000000..a455261f8c
--- /dev/null
+++ b/windows/deployment/update/update-compliance-privacy.md
@@ -0,0 +1,55 @@
+---
+title: Privacy in Update Compliance
+ms.reviewer:
+manager: laurawi
+description: an overview of the Feature Update Status report
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Privacy in Update Compliance
+
+Update Compliance is fully committed to privacy, centering on these tenets:
+
+- **Transparency:** Windows 10 diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details).
+- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics.
+- **Security:** Your data is protected with strong security and encryption.
+- **Trust:** Update Compliance supports the Online Services Terms.
+
+## Data flow for Update Compliance
+
+The data flow sequence is as follows:
+
+1. Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US.
+2. An IT Administrator creates an Azure Log Analytics workspace. They then choose the location this workspace will store data and receives a Commercial ID for that workspace. The Commercial ID is added to each device in an organization by way of Group Policy, MDM or registry key.
+3. Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management Service, identifying devices by Commercial ID.
+4. These snapshots are copied to transient storage, used solely for Update Compliance where they are partitioned by Commercial ID.
+5. The snapshots are then copied to the appropriate Azure Log Analytics workspace, where the Update Compliance experience pulls the information from to populate visuals.
+
+## FAQ
+
+### Can Update Compliance be used without a direct client connection to the Microsoft Data Management Service?
+
+No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity.
+
+### Can I choose the data center location?
+
+Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US).
+
+## Related topics
+
+See related topics for additional background information on privacy and treatment of diagnostic data:
+
+- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance)
+- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
+- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview)
+- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31)
+- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/)
+- [Trust Center](https://www.microsoft.com/trustcenter)
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
new file mode 100644
index 0000000000..3cbcbbeb28
--- /dev/null
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -0,0 +1,46 @@
+---
+title: Update Compliance Schema - WaaSDeploymentStatus
+ms.reviewer:
+manager: laurawi
+description: WaaSDeploymentStatus schema
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.author: jaimeo
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# WaaSDeploymentStatus
+
+WaaSDeploymentStatus records track a specific update's installation progress on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time.
+
+|Field |Type |Example |Description |
+|-|-|-----|------------------------|
+|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). |
+|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
+|**DeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). |
+|**DeploymentError** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. |
+|**DeploymentErrorCode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. |
+|**DeploymentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Failed` |The high level status of installing this update on this device. Possible values are:
- **<0**: A value below 0 indicates the policy is disabled.
- **0**: A value of 0 indicates the policy is enabled, but the deferral period is 0 days.
- **1+**: A value of 1 and above indicates the deferral setting, in days. |
+|**FeaturePauseDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |*Deprecated* This provides the count of days left in a pause |
+|**FeaturePauseState** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.
screen downloadable
apps and run them in
an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.
**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. |
| **Heap protections**
help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.
**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
| **Kernel pool protections**
help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.
**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
-| **Control Flow Guard**
helps mitigate exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
+| **Control Flow Guard**
helps mitigate exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it's compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker's attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. |
### SMB hardening improvements for SYSVOL and NETLOGON shares
-In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won’t process domain-based Group Policy and scripts.
+In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won't process domain-based Group Policy and scripts.
> [!NOTE]
-> The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/).
+> The registry values for these settings aren't present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://msrc-blog.microsoft.com/2015/02/10/ms15-011-ms15-014-hardening-group-policy/).
### Protected Processes
Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on malware that gets on the device. Protected Processes creates limits of this type.
-With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system.
+With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://docs.microsoft.com/windows/win32/services/protecting-anti-malware-services-). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system.
### Universal Windows apps protections
-When users download Universal Windows apps from the Microsoft Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
+When users download Universal Windows apps from the Microsoft Store, it's unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
-In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher.
+In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the exact capabilities the app requires (for example, access to the camera), along with the app's age rating and publisher.
### Windows heap protections
@@ -221,29 +221,29 @@ The *heap* is a location in memory that Windows uses to store dynamic applicatio
Windows 10 has several important improvements to the security of the heap:
-- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption.
+- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption.
-- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable.
+- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable.
-- **Heap guard pages** before and after blocks of memory, which work as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app.
+- **Heap guard pages** before and after blocks of memory, which work as trip wires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app.
### Kernel pool protections
-The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory (“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many types of attacks that have been attempted against these pools, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 has multiple “pool hardening” protections, such as integrity checks, that help protect the kernel pool against such attacks.
+The operating system kernel in Windows sets aside two pools of memory, one which remains in physical memory ("nonpaged pool") and one which can be paged in and out of physical memory ("paged pool"). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple "pool hardening" protections, such as integrity checks, that help protect the kernel pool against more advanced attacks.
In addition to pool hardening, Windows 10 includes other kernel hardening features:
-- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic.
+- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic.
-- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx).
+- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation).
-- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.)
+- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.)
-- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support.
+- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the "supervisor") from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support.
-- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination.
+- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the "FastFail" mechanism to enable rapid and safe process termination.
-- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as “NULL dereference” to overwrite critical system data structures in memory.
+- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as "NULL dereference" to overwrite critical system data structures in memory.
### Control Flow Guard
@@ -251,31 +251,31 @@ When applications are loaded into memory, they are allocated space based on the
This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk.
-An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx).
+An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://docs.microsoft.com/windows/win32/secbp/control-flow-guard).
Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG.
### Microsoft Edge and Internet Explorer 11
-Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks.
+Browser security is a critical component of any security strategy, and for good reason: the browser is the user's interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks.
All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority.
Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially:
-- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions.
+- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions.
-- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits.
+- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits.
-- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues.
+- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues.
-- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge.
+- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge.
-- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default.
+- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default.
In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security.
-For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11.
+For sites that require IE11 compatibility, including those that require binary extensions and plug-ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11.
### Functions that software vendors can use to build mitigations into apps
@@ -288,21 +288,21 @@ Some of the protections available in Windows 10 are provided through functions t
| Mitigation | Function |
|-------------|-----------|
-| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] |
-| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] |
-| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] |
-| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/library/windows/desktop/hh769088(v=vs.85).aspx)
\[ProcessSignaturePolicy\] |
-| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/library/windows/desktop/hh769088(v=vs.85).aspx)
\[ProcessSystemCallDisablePolicy\] |
-| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] |
-| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] |
-| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] |
-| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] |
+| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] |
+| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] |
+| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] |
+| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
\[ProcessSignaturePolicy\] |
+| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
\[ProcessSystemCallDisablePolicy\] |
+| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] |
+| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] |
+| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] |
+| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] |
## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit
-You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10.
+You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10.
-Because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)).
+Because many of EMET's mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://web.archive.org/web/20170928073955/https://technet.microsoft.com/en-US/security/jj653751)).
The following table lists EMET features in relation to Windows 10 features.
@@ -337,7 +337,7 @@ to Windows 10 features
Mitigations for this threat are built into Windows 10, as described in the “Memory reservations” item in Kernel pool protections, earlier in this topic.
+Mitigations for this threat are built into Windows 10, as described in the "Memory reservations" item in Kernel pool protections, earlier in this topic.
@@ -363,7 +363,7 @@ to Windows 10 features
### Converting an EMET XML settings file into Windows 10 mitigation policies
-One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet:
+One of EMET's strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet:
```powershell
Install-Module -Name ProcessMitigations
@@ -423,21 +423,21 @@ ConvertTo-ProcessMitigationPolicy -EMETFilePath
@@ -352,9 +352,9 @@ to Windows 10 features
Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in Control Flow Guard, earlier in this topic.
Valid syntax: `.test` and `test` | Extension exclusions
Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions
A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions
A specific process | The executable file `c:\test\process.exe` | File and folder exclusions
@@ -292,4 +292,4 @@ You can also copy the string into a blank text file and attempt to save it with
- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
\ No newline at end of file
+- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 97a45e8794..78f6412fd9 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -284,8 +284,6 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\
- %windir%\Ntds\Ntds*.pat
-- %windir%\Ntds\EDB*.log
-
- %windir%\Ntds\TEMP.edb
#### The NTDS working folder
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 3fb436099a..7c0db7f78f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -41,7 +41,7 @@ Potentially unwanted applications can increase the risk of your network being in
### Microsoft Edge
-The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
+The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md).
#### Enable PUA protection in Chromium-based Microsoft Edge
@@ -62,7 +62,7 @@ Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft
Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can
[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off.
-Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md#create-indicators-for-ips-and-urlsdomains-preview) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings.
+Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings.
### Windows Defender Antivirus
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 985b6f0b7c..8c14c01d58 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -22,8 +22,8 @@ ms.custom: nextgen
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!NOTE]
->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+> [!NOTE]
+> The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
@@ -34,88 +34,92 @@ See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protectio
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details.
->[!NOTE]
->In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
+> [!NOTE]
+> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
-**Use Intune to enable cloud-delivered protection**
+## Use Intune to enable cloud-delivered protection
1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**.
3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
5. On the **Cloud-delivered protection** switch, select **Enable**.
-6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
+6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**.
7. In the **Submit samples consent** dropdown, select one of the following:
- **Send safe samples automatically**
- **Send all samples automatically**
>[!NOTE]
- >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
+ > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
> [!WARNING]
- > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+ > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
-**Use Configuration Manager to enable cloud-delivered protection:**
+## Use Configuration Manager to enable cloud-delivered protection
See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
-**Use Group Policy to enable cloud-delivered protection:**
+## Use Group Policy to enable cloud-delivered protection
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
-3. Click **Administrative templates**.
+3. Select **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
-5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**.
+5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
-6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following:
+6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following:
1. **Send safe samples** (1)
2. **Send all samples** (3)
>[!NOTE]
- >**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
+ > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
> [!WARNING]
- > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+ > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
7. Click **OK**.
-**Use PowerShell cmdlets to enable cloud-delivered protection:**
+## Use PowerShell cmdlets to enable cloud-delivered protection
Use the following cmdlets to enable cloud-delivered protection:
```PowerShell
Set-MpPreference -MAPSReporting Advanced
-Set-MpPreference -SubmitSamplesConsent AlwaysPrompt
+Set-MpPreference -SubmitSamplesConsent SendAllSamples
```
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
+
>[!NOTE]
->You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+> You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+>[!WARNING]
+> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
-**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:**
+## Use Windows Management Instruction (WMI) to enable cloud-delivered protection
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties:
```WMI
-MAPSReporting
+MAPSReporting
SubmitSamplesConsent
```
See the following for more information and allowed parameters:
+
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-**Enable cloud-delivered protection on individual clients with the Windows Security app**
+## Enable cloud-delivered protection on individual clients with the Windows Security app
> [!NOTE]
> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index be5477b03f..a487d96a32 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 01/09/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
@@ -40,7 +39,7 @@ This article describes how to specify from where updates should be downloaded (t
## Fallback order
-Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used.
+Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used immediately.
When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors:
- The age of the last update on the device; and
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 5184c72aca..5fdfa55aa4 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -12,7 +12,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 03/04/2020
ms.reviewer:
manager: dansimp
---
@@ -25,46 +24,181 @@ manager: dansimp
There are two types of updates related to keeping Windows Defender Antivirus up to date:
-1. Protection updates
-2. Product updates
+ - Security intelligence updates
+ - Product updates
-You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection.
+> [!IMPORTANT]
+> Keeping Windows Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
+> This also applies to devices where Windows Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility).
-## Protection updates
+## Security intelligence updates
-Windows Defender Antivirus uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as Security intelligence updates.
+Windows Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
-The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
+The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
-Engine updates are included with the Security intelligence updates and are released on a monthly cadence.
+Engine updates are included with the security intelligence updates and are released on a monthly cadence.
## Product updates
-Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
+Windows Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
-You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
+You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
+For more information, see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
-## Released platform and engine versions
+> [!NOTE]
+> We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server.
-Only the main version is listed in the following table as reference information:
+## Monthly platform and engine versions
-Month | Platform/Client | Engine
----|---|---
-Feb-2020 | - | 1.1.16800.x
-Jan-2020 | 4.18.2001.x | 1.1.16700.x
-Dec-2019 | - | - |
-Nov-2019 | 4.18.1911.x | 1.1.16600.x
-Oct-2019 | 4.18.1910.x | 1.1.16500.x
-Sep-2019 | 4.18.1909.x | 1.1.16400.x
-Aug-2019 | 4.18.1908.x | 1.1.16300.x
-Jul-2019 | 4.18.1907.x | 1.1.16200.x
-Jun-2019 | 4.18.1906.x | 1.1.16100.x
-May-2019 | 4.18.1905.x | 1.1.16000.x
-Apr-2019 | 4.18.1904.x | 1.1.15900.x
-Mar-2019 | 4.18.1903.x | 1.1.15800.x
-Feb-2019 | 4.18.1902.x | 1.1.15700.x
-Jan-2019 | 4.18.1901.x | 1.1.15600.x
-Dec-18 | 4.18.1812.X | 1.1.15500.x
+For information how to update or how to install the platform update, please see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
+
+All our updates contain:
+* performance improvements
+* serviceability improvements
+* integration improvements (Cloud, MTP)
+
+
+ April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)
+
+ Security intelligence update version: **TBD**
+ Released: **April 30, 2020**
+ Platform: **4.18.2004.6**
+ Engine: **1.1.17000.2**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+* WDfilter improvements
+* Add more actionable event data to ASR detection events
+* Fixed version information in diagnostic data and WMI
+* Fixed incorrect platform version in UI after platform update
+* Dynamic URL intel for Fileless threat protection
+* UEFI scan capability
+* Extend logging for updates
+
+### Known Issues
+No known issues
+
+ March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2)
+
+ Security intelligence update version: **1.313.8.0**
+ Released: **March 24, 2020**
+ Platform: **4.18.2003.8**
+ Engine: **1.1.16900.4**
+ Support phase: **Technical upgrade Support (Only)**
+
+### What's new
+
+* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus)
+* Improve diagnostic capability
+* reduce Security intelligence timeout (5min)
+* Extend AMSI engine internal log capability
+* Improve notification for process blocking
+
+### Known Issues
+[**Fixed**] Windows Defender Antivirus is skipping files when running a scan.
+
+
+ February-2020 (Platform: - | Engine: 1.1.16800.2)
+
+
+ Security intelligence update version: **1.311.4.0**
+ Released: **February 25, 2020**
+ Platform/Client: **-**
+ Engine: **1.1.16800.2**
+ Support phase: **N/A**
+
+### What's new
+
+
+### Known Issues
+No known issues
+
+ January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)
+
+
+Security intelligence update version: **1.309.32.0**
+Released: **January 30, 2020**
+Platform/Client: **4.18.2001.10**
+Engine: **1.1.16700.2**
+Support phase: **Technical upgrade Support (Only)**
+
+### What's new
+
+* Fixed BSOD on WS2016 with Exchange
+* Support platform updates when TMP is redirected to network path
+* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
+* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
+* Fix 4.18.1911.10 hang
+
+### Known Issues
+[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
+
+> [!IMPORTANT]
+> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
+
+ November-2019 (Platform: 4.18.1911.2 | Engine: 1.1.16600.7)
+
+Security intelligence update version: **1.307.13.0**
+Released: **December 7, 2019**
+Platform: **4.18.1911.2**
+Engine: **1.1.17000.7**
+Support phase: **No support**
+
+### What's new
+
+* Fixed MpCmdRun tracing level
+* Fixed WDFilter version info
+* Improve notifications (PUA)
+* add MRT logs to support files
+
+### Known Issues
+No known issues
+
+
- Windows 10 (all releases)
- Windows Server 2016 or later |
-|Windows E5 enrollment |This is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [Features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
-|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). |
-|Windows Defender Antivirus antimalware client |To make sure your client is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
-|Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
-
-> [!IMPORTANT]
-> To get the best protection value, make sure Windows Defender Antivirus is configured to receive regular updates and other essential features, such as behavioral monitoring, IOfficeAV, tamper protection, and more. See [Protect security settings with tamper protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection)
-
-
-## Frequently asked questions
-
-### Will shadow protection have any impact on a user's antivirus protection?
-
-No. Shadow protection does not affect third-party antivirus protection running on users' machines. Shadow protection kicks in if the primary antivirus solution misses something, or if there is post-breach detection. Shadow protection works just like Windows Defender Antivirus in passive mode with the additional steps of blocking and remediating malicious items detected.
-
-### Why do I need to keep Windows Defender Antivirus up to date?
-
-The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack works in integration, and to get best protection value, you should keep Windows Defender Antivirus up to date.
-
-### Why do we need cloud protection on?
-
-Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on the optics received, along with behavioral and machine learning models.
-
-### Can I participate in the private preview of shadow protection?
-
-If you would like to participate in our private preview program, please send email to `shwjha@microsoft.com`.
-
-## See also
-
-- [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus)
-
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index d123f26a35..2efa65178d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -22,6 +22,9 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+> [!IMPORTANT]
+> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
+
You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you might encounter problems or issues.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 68f8c4587a..4bf7025062 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
---
-title: Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
-description: Next-gen technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
-keywords: windows defender antivirus, next-gen technologies, next-gen av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
+title: Use next-generation technologies in Windows Defender Antivirus through cloud-delivered protection
+description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
+keywords: windows defender antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -11,12 +11,12 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.reviewer:
+ms.reviewer: shwjha
manager: dansimp
ms.custom: nextgen
---
-# Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
+# Use next-generation technologies in Windows Defender Antivirus through cloud-delivered protection
**Applies to:**
@@ -27,17 +27,17 @@ Microsoft next-generation technologies in Windows Defender Antivirus provide nea
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
+To take advantage of the power and speed of these next-generation technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action:
+With cloud-delivered protection, next-generation technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action:
-To understand how next-gen technologies shorten protection delivery time through the cloud, watch the following video:
+To understand how next-generation technologies shorten protection delivery time through the cloud, watch the following video:
@@ -54,28 +54,33 @@ Read the following blog posts for detailed protection stories involving cloud-pr
Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies.
-Organizations running Windows 10 E5, version 1803 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn cloud-delivered protection on, we can deliver a fix for a malware issue via the cloud within minutes instead of waiting for the next update.
+Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud-delivered protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager.
-Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center 2012 Configuration Manager | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune
----|---|---|---|---|---|---
-Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
-Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version
-Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | Configurable
-
-You can also [configure Windows Defender AV to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates).
+|OS version or service application |Cloud-protection service label |Reporting level (MAPS membership level) |Cloud block timeout period |
+|---------|---------|---------|---------|
+|Windows 8.1 (Group Policy) |Microsoft Advanced Protection Service |Basic, Advanced |No |
+|Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No |
+|Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable |
+|System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable |
+|Microsoft Endpoint Configuration Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable |
+|Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable |
+
+You can also [configure Windows Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates).
-## In this section
+## Tasks
- Topic | Description
----|---
-[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
-[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
-[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
-[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
-[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.
+- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md). You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
+
+- [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md). You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
+
+- [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
+
+- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
+
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md). Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
index 9c284e75a0..bfca4b0430 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
@@ -14,7 +14,6 @@ ms.topic: article
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 01/07/2020
ms.reviewer:
manager: dansimp
---
@@ -29,7 +28,7 @@ Windows Defender Antivirus is the next-generation protection component of [Micro
Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services.
-## 10 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP
+## 11 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP
| |Advantage |Why it matters |
|--|--|--|
@@ -39,10 +38,11 @@ Although you can use a non-Microsoft antivirus solution with Microsoft Defender
|4|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).|
|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).|
|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).|
-|7|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) |
-|8|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). |
-|9|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
-|10|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). |
+|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).|
+|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) |
+|9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). |
+|10|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
+|11|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). |
## Learn more
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 33827edea0..c758cea607 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.reviewer:
+ms.reviewer:
manager: dansimp
---
@@ -25,13 +25,13 @@ manager: dansimp
## Overview
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
-- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode.
-- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and and threats are not remediated by Windows Defender Antivirus.)
-- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
+- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Windows Defender Antivirus automatically goes into disabled mode.
+- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Windows Defender Antivirus.)
+- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
## Antivirus and Microsoft Defender ATP
-The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
+The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state |
@@ -47,19 +47,19 @@ The following table summarizes what happens with Windows Defender Antivirus when
(1) On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Windows Defender Antivirus on Windows Server 2016 or 2019](windows-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-windows-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine.
-If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
-- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
-- Name: ForceDefenderPassiveMode
+If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
+- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+- Name: ForceDefenderPassiveMode
- Value: 1
See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
->[!IMPORTANT]
->Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
->
->In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
->
->Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
+> [!IMPORTANT]
+> Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
+>
+> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
+>
+> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
## Functionality and features available in each state
@@ -69,30 +69,30 @@ The following table summarizes the functionality and features that are available
|--|--|--|--|--|--|
|Active mode
|Yes |No |Yes |Yes |Yes |
|Passive mode |No |No |Yes |No |Yes |
-|[Shadow protection enabled](shadow-protection.md) |No |No |Yes |Yes |Yes |
+|[EDR in block mode enabled](shadow-protection.md) |No |No |Yes |Yes |Yes |
|Automatic disabled mode |No |Yes |No |No |No |
- In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself).
- In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
-- When [shadow protection (currently in private preview)](shadow-protection.md) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
+- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
- In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
## Keep the following points in mind
-If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
+If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
-
+
In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
->[!WARNING]
->You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
-
+> [!WARNING]
+> You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
+
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md)
-- [Shadow protection in next-generation protection](shadow-protection.md)
+- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 75d23d70dd..77eca7df65 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -1,6 +1,6 @@
---
title: Windows Defender Antivirus in the Windows Security app
-description: Windows Defender AV is now included in the Windows Security app.
+description: With Windows Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks.
keywords: wdav, antivirus, firewall, security, windows
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 5ade5917e6..1a4b279e16 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -1,20 +1,23 @@
-# [Windows Defender Application Control](windows-defender-application-control.md)
+# [Application Control for Windows](windows-defender-application-control.md)
+## [WDAC and AppLocker Overview](wdac-and-applocker-overview.md)
+### [WDAC and AppLocker Feature Availability](feature-availability.md)
-## [Windows Defender Application Control design guide](windows-defender-application-control-design-guide.md)
+
+## [WDAC design guide](windows-defender-application-control-design-guide.md)
### [Plan for WDAC policy lifecycle management](plan-windows-defender-application-control-management.md)
-### Design and create your WDAC policy
+### Design your initial WDAC policy
#### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md)
#### [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md)
-##### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md)
-##### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
-#### [Example WDAC base policies](example-wdac-base-policies.md)
+#### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md)
+#### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
#### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md)
-#### [Common WDAC deployment scenarios](types-of-devices.md)
+#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
+### Create your initial WDAC policy
+#### [Example WDAC base policies](example-wdac-base-policies.md)
+#### [Policy creation for common WDAC usage scenarios](types-of-devices.md)
##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md)
##### [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md)
##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md)
-##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
-
## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md)
@@ -28,7 +31,7 @@
### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
-#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
+#### [Optional: Use the WDAC Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
#### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
#### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md)
### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index 320db86050..b7d7885b7f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -23,7 +23,10 @@ ms.date: 10/16/2017
- Windows 10
- Windows Server
-This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+
+> [!NOTE]
+> AppLocker is unable to control processes running under the system account on any operating system.
AppLocker can help you:
@@ -78,6 +81,9 @@ The following are examples of scenarios in which AppLocker can be used:
- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
- In addition to other measures, you need to control the access to sensitive data through app usage.
+> [!NOTE]
+> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
## Installing AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index 9e6f941382..e07be3cc57 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -27,7 +27,7 @@ ms.date: 02/28/2018
- Windows 10
- Windows Server 2016
-As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
+As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
If you have an internal CA, complete these steps to create a code signing certificate.
Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded.
@@ -98,7 +98,7 @@ Now that the template is available to be issued, you must request one from the c
>[!NOTE]
>If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
-This certificate must be installed in the user’s personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
+This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
1. Right-click the certificate, point to **All Tasks**, and then click **Export**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
index f707f7a7bb..1a27567a27 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@@ -21,8 +21,8 @@ ms.date: 05/03/2018
**Applies to:**
-- Windows 10
-- Windows Server 2016 and above
+- Windows 10
+- Windows Server 2016 and above
This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc...
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 93758237b0..9957c0ae10 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -22,8 +22,8 @@ ms.date: 11/20/2019
**Applies to:**
-- Windows 10
-- Windows Server 2016 and above
+- Windows 10
+- Windows Server 2016 and above
This section outlines the process to create a WDAC policy for **fully-managed devices** within an organization. The key difference between this scenario and [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully-managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully-managed devices should ideally run as standard user and only authorized IT pros have administrative access.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index d25131d06d..fbee02749f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -22,8 +22,8 @@ ms.date: 11/15/2019
**Applies to:**
-- Windows 10
-- Windows Server 2016 and above
+- Windows 10
+- Windows Server 2016 and above
This section outlines the process to create a WDAC policy for **lightly-managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 484dd83dc0..1ea8df15e9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -81,7 +81,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
`PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
>[!NOTE]
->Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values.
+>Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values.
When finished, the files will be saved to your desktop. You can double-click the \*.cat file to see its contents, and you can view the \*.cdf file with a text editor.
@@ -95,16 +95,16 @@ Packages can fail for the following reasons:
- To diagnose whether USN journal size is the issue, after running through Package Inspector, click Start > install app > PackageInspector stop
- Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this was the most recent USN when you ran PackageInspector start)
- `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt`
- - ReadJournal command should throw an error if the older USNs don’t exist anymore due to overflow
+ - ReadJournal command should throw an error if the older USNs don't exist anymore due to overflow
- For USN Journal, log size can be expanded using: `fsutil usn createjournal` command with a new size and alloc delta. `Fsutil usn queryjournal` will give the current size and allocation delta, so using a multiple of that may help
- To diagnose whether Eventlog size is the issue, look at the Microsoft/Windows/CodeIntegrity/Operational log under Applications and Services logs in Event Viewer and ensure that there are entries present from when you began Package Inspector (You can use write time as a justification; if you started the install 2 hours ago and there are only entries from 30 minutes prior, the log is definitely too small)
- To increase Eventlog size, in Event Viewer you can right click the operational log, click properties, and then set new values (some multiple of what it was previously)
- Package files that change hash each time the package is installed
- Package Inspector is completely incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package will not work with Package Inspector
-- Files with an invalid signature blob or otherwise “unhashable” files
+- Files with an invalid signature blob or otherwise "unhashable" files
- This issue arises when a file that has been signed is modified post signing in a way that invalidates the PE header and renders the file unable to be hashed by the Authenticode Spec.
- - WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can’t be allowed by hash due to authenticode hashing algorithm rejecting it)
- - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this “unhashable” state and renders the file unable to be allowed by Device Guard (regardless of if you try to allow directly by policy or resign with Package Inspector)
+ - WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it)
+ - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector)
## Catalog signing with SignTool.exe
@@ -124,7 +124,7 @@ To sign the existing catalog file, copy each of the following commands into an e
`$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
-2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store.
+2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store.
3. Sign the catalog file with Signtool.exe:
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 13547435c1..0fc1b53db9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -14,15 +14,15 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 05/17/2019
+ms.date: 04/15/2020
---
# Use multiple Windows Defender Application Control Policies
**Applies to:**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows Server 2016
The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
@@ -36,16 +36,17 @@ The restriction of only having a single code integrity policy active on a system
- A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy
- For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run
-## How do Base and Supplemental Policies Interact?
+> [!NOTE]
+> Pre-1903 systems do not support the use of Multiple Policy Format WDAC policies.
+
+## Base and supplemental policy interaction
- Multiple base policies: intersection
- Only applications allowed by both policies run without generating block events
- Base + supplemental policy: union
- Files that are allowed by the base policy or the supplemental policy are not blocked
-Note that multiple policies will not work on pre-1903 systems.
-
-### Allow Multiple Policies
+## Creating WDAC policies in Multiple Policy Format
In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format.
@@ -65,9 +66,10 @@ For signed base policies that are being made supplementable, you need to ensure
Add-SignerRule -FilePath
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. |
+| Management solutions |
| |
+| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
+| Kernel mode policies | Available on all Windows 10 versions | Not available |
+| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available |
+| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available |
+| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available |
+| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available |
+| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
+| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available |
+| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ |
+| Enforceable file types |
|
|
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 465dfec3fb..8e442a2a0f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -19,10 +19,10 @@ ms.date: 04/09/2019
# Microsoft recommended block rules
-**Applies to**
-- Windows 10
-- Windows Server 2016
-- Windows Server 2019
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016 and above
Members of the security community\* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index f58c81c02c..cccca7a73e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -21,24 +21,24 @@ ms.date: 02/21/2018
**Applies to:**
-- Windows 10
-- Windows Server 2016 and above
+- Windows 10
+- Windows Server 2016 and above
This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
## Policy XML lifecycle management
-Before you begin deploying WDAC, consider how your policies will be managed and maintained over time. Developing a process for managing WDAC policies helps assure that WDAC continues to effectively control how applications are allowed to run in your organization.
+The first step in implementing application control is to consider how your policies will be managed and maintained over time. Developing a process for managing WDAC policies helps assure that WDAC continues to effectively control how applications are allowed to run in your organization.
Most WDAC policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include:
-1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML.
-2. Deploy the audit mode policy to intended computers.
-3. Monitor audit block events from the intended computers and add/edit/delete rules as needed to address unexpected/unwanted blocks.
+1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. In audit mode, block events are generated but files are not prevented from executing.
+2. Deploy the audit mode policy to intended devices.
+3. Monitor audit block events from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks.
4. Repeat steps 2-3 until the remaining block events meet expectations.
-5. Generate the enforced mode version of the policy.
-6. Deploy the enforced mode policy to intended computers. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
+5. Generate the enforced mode version of the policy. In enforced mode, files that are not allowed by the policy are prevented from executing and corresponding block events are generated.
+6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
### Keep WDAC policies in a source control or document management solution
@@ -71,31 +71,31 @@ Additionally, WDAC events are collected by [Microsoft Defender Advanced Threat P
Considerations include:
-- What type of end-user support is provided for blocked applications?
-- How are new rules added to the policy?
-- How are existing rules updated?
-- Are events forwarded for review?
+- What type of end-user support is provided for blocked applications?
+- How are new rules added to the policy?
+- How are existing rules updated?
+- Are events forwarded for review?
### Help desk support
If your organization has an established help desk support department in place, consider the following when deploying WDAC policies:
-- What documentation does your support department require for new policy deployments?
-- What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload?
-- Who are the contacts in the support department?
-- How will the support department resolve application control issues between the end user and those who maintain the WDAC rules?
+- What documentation does your support department require for new policy deployments?
+- What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload?
+- Who are the contacts in the support department?
+- How will the support department resolve application control issues between the end user and those who maintain the WDAC rules?
### End-user support
Because WDAC is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include:
-- Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app?
-- How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app?
+- Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app?
+- How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app?
## Document your plan
After deciding how your organization will manage your WDAC policy, record your findings.
-- **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the WDAC policy, if necessary.
-- **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis.
-- **Policy management.** Detail what policies are planned, how they will be managed, and how rules will be maintained over time.
+- **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the WDAC policy, if necessary.
+- **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis.
+- **Policy management.** Detail what policies are planned, how they will be managed, and how rules will be maintained over time.
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 44fd750878..5b823d7eeb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -54,21 +54,21 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
| **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the WDAC policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a WDAC policy, delete this option. |
| **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. |
-| **5 Enabled:Inherit Default Policy** | This option is reserved for future use. |
+| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. |
| **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. |
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
-| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. |
+| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, as well as on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on pre-1903 versions of Windows 10 without the 10C or later LCU is not supported and may have unintended results. |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.|
-| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
-| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
-| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
-| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. |
+| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.|
+| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. |
+| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. NOTE: This option is only supported on Windows 10, version 1903, and above. |
+| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. |
## Windows Defender Application Control file rule levels
@@ -129,9 +129,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
## Windows Defender Application Control filename rules
-File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies.
+File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies.
-Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario.
+Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario. For instance, an LOB or production application and its binaries (eg. DLLs) may all share the same product name. This allows users to easily create targeted policies based on the Product Name filename rule level.
**Table 3. Windows Defender Application Control policy - filename levels**
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index db845a4507..db8225d362 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -1,6 +1,6 @@
---
-title: Common WDAC deployment scenarios (Windows 10)
-description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization, using these common scenarios.
+title: Policy creation for common WDAC usage scenarios (Windows 10)
+description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
@@ -20,8 +20,9 @@ ms.date: 03/01/2018
# Windows Defender Application Control deployment in different scenarios: types of devices
**Applies to**
-- Windows 10
-- Windows Server 2016 and above
+
+- Windows 10
+- Windows Server 2016 and above
Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is very common for organizations to have device use cases across each of the categories described.
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 04a21aa98f..1fe1a3c6b0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -35,7 +35,7 @@ You should consider using WDAC as part of your organization's application contro
- You have deployed or plan to deploy the supported versions of Windows in your organization.
- You need improved control over the access to your organization's applications and the data your users access.
-- Your organization has a well-defined process for application management and deployed.
+- Your organization has a well-defined process for application management and deployment.
- You have resources to test policies against the organization's requirements.
- You have resources to involve Help Desk or to build a self-help process for end-user application access issues.
- The group's requirements for productivity, manageability, and security can be controlled by restrictive policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
index 76cec7912f..da33a878fe 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -31,7 +31,7 @@ This topic covers guidelines for using code signing control classic Windows apps
## Reviewing your applications: application signing and catalog files
-Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
+Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your WDAC policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing).
@@ -45,7 +45,7 @@ To obtain signed applications or embed signatures in your in-house applications,
To use catalog signing, you can choose from the following options:
-- Use the Windows Defender Device Guard signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
+- Use the Windows Defender signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications.
- Create your own catalog files, which are described in the next section.
@@ -53,12 +53,12 @@ To use catalog signing, you can choose from the following options:
Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application.
-Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated each time an application is updated, which requires the catalog file to be updated also.
+Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also.
After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files.
> [!NOTE]
-> Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
+> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
index c5bb40be7e..8dfefbb2b5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -34,20 +34,19 @@ As of Windows 10, version 1703, you can use WDAC policies not only to control ap
| You can work from a list of plug-ins, add-ins, or modules that you want only a specific application to be able to run. Other applications would be blocked from running them. | Use `New-CIPolicyRule` with the `-AppID` option. |
| In addition, you can work from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. | Use `New-CIPolicyRule` with the `-AppID` and `-Deny` options. |
-To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your ‘master’ policy (merging is described in the next section).
+To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your 'master' policy (merging is described in the next section).
-For example, to create a WDAC policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization’s enterprise resource planning (ERP) application, but blocks those add-ins in other applications, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable:
+For example, to create a WDAC policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable:
-```
-$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
-$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe'
+```powershell
+$rule = New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin1.dll'
+$rule += New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin2.dll'
New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs
```
As another example, to create a WDAC policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specified application:
-```
-$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe'
+```powershell
+$rule = New-CIPolicyRule -DriverFilePath '.\winword.exe' -Level FileName -Deny -AppID '.\temp\addin3.dll'
New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
```
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 7c9d0b4790..09a7320fa3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -21,8 +21,8 @@ ms.date: 03/10/2020
**Applies to:**
-- Windows 10
-- Windows Server 2016 and above
+- Windows 10
+- Windows Server 2016 and above
Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index c3a6983cd6..675381d926 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -21,14 +21,13 @@ ms.date: 06/13/2018
**Applies to:**
-- Windows 10
-- Windows Server 2016 and above
+- Windows 10
+- Windows Server 2016 and above
+Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC).
+This is especially true for enterprises with large, ever changing software catalogs.
-Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC).
-This is especially true for enterprises with large, ever changing software catalogs.
-
-Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager.
+Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager.
A managed installer helps an IT admin balance security and manageability requirements when employing application execution control policies by providing an option that does not require specifying explicit rules for software that is being managed through a software distribution solution.
## How does a managed installer work?
@@ -36,11 +35,11 @@ A managed installer helps an IT admin balance security and manageability require
A managed installer uses a new rule collection in AppLocker to specify one or more executables that are trusted by the organization as an authorized source for application deployment.
Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable’s process (or processes it launches) as having originated from a trusted installation authority. The Managed Installer rule collection is currently supported for AppLocker rules in Group Policy and in Configuration Manager, but not in the AppLocker CSP for OMA-URI policies.
-Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy.
+Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy.
If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.+
-Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer.
-Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps.
+Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer.
+Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps.
## Configuring a managed installer with AppLocker and Windows Defender Application Control
@@ -53,7 +52,7 @@ There are three primary steps to keep in mind:
### Specify managed installers using the Managed Installer rule collection in AppLocker policy
-The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection.
+The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection.
Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
An example of a valid Managed Installer rule collection is shown below.
@@ -83,7 +82,7 @@ As mentioned above, the AppLocker CSP for OMA-URI policies does not currently su
## Enable service enforcement in AppLocker policy
Since many installation processes rely on services, it is typically necessary to enable tracking of services.
-Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice.
+Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice.
For example:
```code
@@ -122,7 +121,7 @@ For example:
### Enable the managed installer option in WDAC policy
In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy.
-This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption).
+This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption).
An example of the managed installer option being set in policy is shown below.
```code
@@ -144,10 +143,11 @@ An example of the managed installer option being set in policy is shown below.
```
+
## Set the AppLocker filter driver to autostart
To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it.
-Run the following command as an Administrator:
+Run the following command as an Administrator:
```code
appidtel.exe start [-mionly]
@@ -155,37 +155,36 @@ appidtel.exe start [-mionly]
Specify `-mionly` if you will not use the Intelligent Security Graph (ISG).
-
## Security considerations with managed installer
-Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do.
-It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager.
+Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do.
+It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager.
-Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
-If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
+Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
+If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
Some application installers include an option to automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization may continue to apply to all files created during the first run of the application. This could result in over-authorization for executables that were not intended.
-To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation.
+To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation.
## Known limitations with managed installer
-- Application execution control based on managed installer does not support applications that self-update.
-If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run.
-Enterprises should deploy and install all application updates using the managed installer.
-In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer.
-Proper review for functionality and security should be performed for the application before using this method.
+- Application execution control based on managed installer does not support applications that self-update.
+If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run.
+Enterprises should deploy and install all application updates using the managed installer.
+In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer.
+Proper review for functionality and security should be performed for the application before using this method.
-- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments.
-Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode.
+- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments.
+Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode.
- Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy.
-- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic.
-In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer.
+- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic.
+In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer.
Proper review for functionality and security should be performed for the application before using this method.
-- The managed installer heuristic does not authorize drivers.
+- The managed installer heuristic does not authorize drivers.
The WDAC policy must have rules that allow the necessary drivers to run.
-- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies.
-Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted.
-Review for functionality and performance for the related applications using the native images maybe necessary in some cases.
+- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies.
+Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted.
+Review for functionality and performance for the related applications using the native images maybe necessary in some cases.
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
new file mode 100644
index 0000000000..7a955f8700
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -0,0 +1,86 @@
+---
+title: WDAC and AppLocker Overview
+description: Compare Windows application control technologies.
+keywords: whitelisting, security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: denisebmsft
+ms.reviewer: isbrahm
+ms.author: deniseb
+manager: dansimp
+ms.date: 04/15/2020
+ms.custom: asr
+---
+
+# Windows Defender Application Control and AppLocker Overview
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016 and above
+
+Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker.
+
+## Windows Defender Application Control
+
+WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
+
+> [!NOTE]
+> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies.
+
+WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
+
+- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
+- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
+- The reputation of the app as determined by Microsoft's Intelligent Security Graph;
+- The identity of the process that initiated the installation of the app and its binaries (managed installer);
+- The path from which the app or file is launched (beginning with Windows 10 version 1903);
+- The process that launched the app or binary.
+
+### WDAC System Requirements
+
+WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
+WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
+
+## AppLocker
+
+AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers.
+
+AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on:
+
+- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
+- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
+- The path from which the app or file is launched (beginning with Windows 10 version 1903).
+
+### AppLocker System Requirements
+
+AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
+AppLocker policies can be deployed using Group Policy or MDM.
+
+## Choose when to use WDAC or AppLocker
+
+Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies.
+
+### WDAC is best when:
+
+- You are adopting application control primarily for security reasons.
+- Your application control policy can be applied to all users on the managed computers.
+- All of the devices you wish to manage are running Windows 10.
+
+### AppLocker is best when:
+
+- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
+- You need to apply different policies for different users or groups on a shared computer.
+- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
+- You do not wish to enforce application control on application files such as DLLs or drivers.
+
+## When to use both WDAC and AppLocker together
+
+AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
+As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
index 232b40eec6..9e0b0651d1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
@@ -29,20 +29,20 @@ This topic provides a roadmap for planning and getting started on the Windows De
1. Review requirements, especially hardware requirements for VBS.
-2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
+2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
Deployment is simpler if everything is locked down in the same way, but meeting individual departments' needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
3. Review how much variety in software and hardware is needed by roles or departments. The following questions can help you clarify how many WDAC policies to create:
- How standardized is the hardware?
This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
- - What software does each department or role need? Should they be able to install and run other departments’ software?
If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
+ - What software does each department or role need? Should they be able to install and run other departments' software?
If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
- Are there departments or roles where unique, restricted software is used?
If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy.
- Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline WDAC policy.
As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
- As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
- In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies.
+ In day-to-day operations, your organization's security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies.
Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
@@ -70,7 +70,7 @@ This topic provides a roadmap for planning and getting started on the Windows De
## Known issues
-This section covers known issues with WDAC and Device Guard. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error).
+This section covers known issues with WDAC. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error).
Test this configuration in your lab before enabling it in production.
### MSI Installations are blocked by WDAC
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
index 36a49771c4..66a776eaf6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
@@ -44,5 +44,6 @@ Once these business factors are in place, you are ready to begin planning your W
| [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
| [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
-
+| [Policy creation for common WDAC usage scenarios](types-of-devices.md) | This set of topics outlines common use case scenarios and helps you begin to develop a plan for deploying WDAC in your organization. |
+
After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
index a34e52ab58..d3e82010c2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
@@ -17,11 +17,12 @@ manager: dansimp
ms.date: 03/16/2020
---
-# Windows Defender Application Control operational guide
+# Windows Defender Application Control operational guide
**Applies to**
-- Windows 10
-- Windows Server 2016
+
+- Windows 10
+- Windows Server 2016 and above
After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 827bc6fab0..02dad7adfd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -14,17 +14,16 @@ author: denisebmsft
ms.reviewer: isbrahm
ms.author: deniseb
manager: dansimp
-ms.date: 01/31/2020
+ms.date: 04/15/2020
ms.custom: asr
---
-# Application Control
+# Application Control for Windows
**Applies to:**
-- Windows 10
-- Windows Server 2016
-- Windows Server 2019
+- Windows 10
+- Windows Server 2016 and above
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
@@ -37,82 +36,17 @@ Application control is a crucial line of defense for protecting enterprises give
> [!NOTE]
> Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
-Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements:
-- **Windows Defender Application Control**; and
-- **AppLocker**
+Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements:
-## Windows Defender Application Control
+- **Windows Defender Application Control**; and
+- **AppLocker**
-Windows Defender Application Control (WDAC) was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
+## In this section
-> [!NOTE]
-> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies.
-
-WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
-- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
-- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
-- The reputation of the app as determined by Microsoft's Intelligent Security Graph;
-- The identity of the process that initiated the installation of the app and its binaries (managed installer);
-- The path from which the app or file is launched (beginning with Windows 10 version 1903);
-- The process that launched the app or binary.
-
-### WDAC System Requirements
-
-WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above.
-WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10.
-
-## AppLocker
-
-AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers.
-
-AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on:
-- Attributes of the codesigning certificate(s) used to sign an app and its binaries;
-- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
-- The path from which the app or file is launched (beginning with Windows 10 version 1903).
-
-### AppLocker System Requirements
-
-AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
-AppLocker policies can be deployed using Group Policy or MDM.
-
-## Choose when to use WDAC or AppLocker
-
-Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies.
-
-### WDAC is best when:
-
-- You are adopting application control primarily for security reasons.
-- Your application control policy can be applied to all users on the managed computers.
-- All of the devices you wish to manage are running Windows 10.
-
-### AppLocker is best when:
-
-- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
-- You need to apply different policies for different users or groups on a shared computer.
-- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
-- You do not wish to enforce application control on application files such as DLLs or drivers.
-
-## When to use both WDAC and AppLocker together
-
-AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
-As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
-
-## WDAC and AppLocker Feature Availability
-| Capability | WDAC | AppLocker |
-|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Platform support | Available on Windows 10 | Available on Windows 8+ |
-| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. |
-| Management solutions |
| |
-| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
-| Kernel mode policies | Available on all Windows 10 versions | Not available |
-| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available |
-| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available |
-| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available |
-| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available |
-| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
-| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available |
-| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ |
-| Enforceable file types |
|
|
+| Topic | Description |
+| - | - |
+| [WDAC and AppLocker Overview](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
+| [WDAC and AppLocker Feature Availability](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
## See also
diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg b/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg
new file mode 100644
index 0000000000..428f96e9b5
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
index 11045f435f..e5630f24a3 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -28,7 +28,7 @@ See [System requirements for Windows Defender Application Guard](https://docs.mi
## Prepare for Windows Defender Application Guard
Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
-**Standalone mode**
+### Standalone mode
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
@@ -36,7 +36,7 @@ Applies to:
Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario.
-**Enterprise-managed mode**
+## Enterprise-managed mode
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
@@ -47,9 +47,11 @@ The following diagram shows the flow between the host PC and the isolated contai
## Install Application Guard
-Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
-**To install by using the Control Panel**
+Application Guard functionality is turned off by default. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
+
+### To install by using the Control Panel
+
1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**.
@@ -58,12 +60,11 @@ Application Guard functionality is turned off by default. However, you can quick
Application Guard and its underlying dependencies are all installed.
-**To install by using PowerShell**
+### To install by using PowerShell
>[!NOTE]
>Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only.
-
1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
2. Right-click **Windows PowerShell**, and then click **Run as administrator**.
@@ -79,3 +80,44 @@ Application Guard functionality is turned off by default. However, you can quick
Application Guard and its underlying dependencies are all installed.
+### To install by using Intune
+
+> [!IMPORTANT]
+> Make sure your organization's devices meet [requirements](reqs-wd-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
+
+:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune":::
+
+1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in.
+
+1. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
+
+ 1. In the **Platform** list, select **Windows 10 and later**.
+
+ 1. In the **Profile** list, select **Endpoint protection**.
+
+ 1. Choose **Create**.
+
+1. Specify the following settings for the profile:
+
+ - **Name** and **Description**
+
+ - In the **Select a category to configure settings** section, choose **Microsoft Defender Application Guard**.
+
+ - In the **Application Guard** list, choose **Enabled for Edge**.
+
+ - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings.
+
+1. Choose **OK**, and then choose **OK** again.
+
+1. Review your settings, and then choose **Create**.
+
+1. Choose **Assignments**, and then do the following:
+
+ 1. On the **Include** tab, in the **Assign to** list, choose an option.
+
+ 1. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab.
+
+ 1. Click **Save**.
+
+After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
+
diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index 5c81b7eb36..ca449ea92c 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -42,4 +42,3 @@ Your environment needs the following software to run Windows Defender Applicatio
|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. |
|Browser|Microsoft Edge and Internet Explorer|
|Management system
(only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)
**-OR-**
[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/)
**-OR-**
[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)
**-OR-**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
-|Windows Defender Exploit Protection settings|The following settings should be configured or verified in the **Windows Security** app under **App & browser control** > **Exploit protection** > **Exploit protection settings** > **System Settings**.
**Control flow guard (CFG)** must be set to **Use default (On)** or **Off by default**. If set to **On by default**, [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard) will not launch.
**Randomize memory allocations (Bottom-up ASLR)** must be set to **Use default (On)** or **Off by default**. If set to "On by default", the `Vmmem` process will have high CPU utilization while a Windows Defender Application Guard window is open.|
diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
index 6f9c6ff4ff..a5eebdf2a2 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
@@ -8,7 +8,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 03/15/2019
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -28,9 +27,9 @@ We've come up with a list of scenarios that you can use to test hardware-based i
You can see how an employee would use standalone mode with Application Guard.
-**To test Application Guard in Standalone mode**
+### To test Application Guard in Standalone mode
-1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
+1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard).
2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
@@ -84,11 +83,11 @@ Before you can use Application Guard in enterprise mode, you must install Window
6. Start Microsoft Edge and type www.microsoft.com.
- After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard.
+ After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.
-7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists.
+7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists.
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
@@ -109,7 +108,7 @@ Application Guard provides the following default behavior for your employees:
You have the option to change each of these settings to work with your enterprise from within Group Policy.
**Applies to:**
-- Windows 10 Enterpise edition, version 1709 or higher
+- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
#### Copy and paste options
@@ -169,10 +168,10 @@ You have the option to change each of these settings to work with your enterpris
The previously added site should still appear in your **Favorites** list.
>[!NOTE]
- >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
+ >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
**Applies to:**
-- Windows 10 Enterpise edition, version 1803
+- Windows 10 Enterprise edition, version 1803
- Windows 10 Professional edition, version 1803
#### Download options
@@ -202,7 +201,7 @@ You have the option to change each of these settings to work with your enterpris
4. Assess the visual experience and battery performance.
**Applies to:**
-- Windows 10 Enterpise edition, version 1809
+- Windows 10 Enterprise edition, version 1809
- Windows 10 Professional edition, version 1809
#### File trust options
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 2ce382c919..d02b829376 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -24,7 +24,7 @@ manager: dansimp
- Windows 10, version 1703 and later
-The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
+The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
The [Windows 10 IT pro troubleshooting topic](https://docs.microsoft.com/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](https://docs.microsoft.com/windows/windows-10/) can also be helpful for resolving issues.
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
deleted file mode 100644
index b9d400165d..0000000000
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Windows Defender SmartScreen overview (Windows 10)
-description: Conceptual info about Windows Defender SmartScreen.
-keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.author: macapara
-audience: ITPro
-ms.localizationpriority: medium
-ms.date: 11/27/2019
-ms.reviewer:
-manager: dansimp
----
-
-# Windows Defender SmartScreen
-
-**Applies to:**
-
-- Windows 10
-- Windows 10 Mobile
-
-Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of potentially malicious files.
-
-**Windows Defender SmartScreen determines whether a site is potentially malicious by:**
-
-- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender Smartscreen determines that a page is suspicious, it will show a warning page to advise caution.
-
-- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious.
-
-**Windows Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:**
-
-- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious.
-
-- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution.
-
- >[!NOTE]
- >Before Windows 10, version 1703, this feature was called _the SmartScreen filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser.
-
-## Benefits of Windows Defender SmartScreen
-
-Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
-
-- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
-
-- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee.
-
-- **Operating system integration.** Windows Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
-
-- **Improved heuristics and diagnostic data.** Windows Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
-
-- **Management through Group Policy and Microsoft Intune.** Windows Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md).
-
-- **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md).
-
-> [!IMPORTANT]
-> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
-
-## Viewing Windows Defender SmartScreen anti-phishing events
-
-When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx).
-
-## Viewing Windows event logs for Windows Defender SmartScreen
-Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
-
-Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
-
-```
-wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
-```
-
-> [!NOTE]
-> For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1).
-
-
-EventID | Description
--|-
-1000 | Application Windows Defender SmartScreen Event
-1001 | Uri Windows Defender SmartScreen Event
-1002 | User Decision Windows Defender SmartScreen Event
-
-## Related topics
-- [Windows Defender SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx)
-
-- [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx)
-- [Threat protection](../index.md)
-- [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings)
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
deleted file mode 100644
index bdbd3df95e..0000000000
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10)
-description: Learn how employees can use Windows Security to set up Windows Defender SmartScreen. Windows Defender SmartScreen protects users from running malicious apps.
-keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 10/13/2017
-ms.reviewer:
-manager: dansimp
-ms.author: macapara
----
-
-# Set up and use Windows Defender SmartScreen on individual devices
-
-**Applies to:**
-- Windows 10, version 1703
-- Windows 10 Mobile
-
-Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files.
-
-## How employees can use Windows Security to set up Windows Defender SmartScreen
-Starting with Windows 10, version 1703 your employees can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it.
-
->[!NOTE]
->If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee.
-
-**To use Windows Security to set up Windows Defender SmartScreen on a device**
-1. Open the Windows Security app, and then click **App & browser control**.
-
-2. In the **App & browser control** screen, choose from the following options:
-
- - In the **Check apps and files** area:
-
- - **Block.** Stops employees from downloading and running unrecognized apps and files from the web.
-
- - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue.
-
- - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files.
-
- - In the **Windows Defender SmartScreen for Microsoft Edge** area:
-
- - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge.
-
- - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge.
-
- - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files.
-
- - In the **Windows Defender SmartScreen from Microsoft Store apps** area:
-
- - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue.
-
- - **Off.** Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
-
- 
-
-## How Windows Defender SmartScreen works when an employee tries to run an app
-Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization.
-
-By default, your employees can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended).
-
-## How employees can report websites as safe or unsafe
-You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11.
-
-**To report a website as safe from the warning message**
-- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions.
-
-**To report a website as unsafe from Microsoft Edge**
-- If a site seems potentially dangerous, employees can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**.
-
-**To report a website as unsafe from Internet Explorer 11**
-- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**.
-
-## Related topics
-- [Threat protection](../index.md)
-
-- [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index f46696402c..c141b00025 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -59,9 +59,6 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
-> [!IMPORTANT]
-> If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor.
-
## How to verify System Guard Secure Launch is configured and running
To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index 2ddbd8ddd4..f8bce090ea 100644
--- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -1,6 +1,6 @@
---
title: Basic Firewall Policy Design (Windows 10)
-description: Basic Firewall Policy Design
+description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 1be717ce49..71775ab476 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Certificate-based Isolation Policy Design (Windows 10)
-description: Certificate-based Isolation Policy Design
+description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
index 11af4131b4..d953de0a48 100644
--- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
+++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
@@ -1,6 +1,6 @@
---
title: Change Rules from Request to Require Mode (Windows 10)
-description: Change Rules from Request to Require Mode
+description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
index fa8377de0d..8d1a5f6710 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Basic Firewall Settings (Windows 10)
-description: Checklist Configuring Basic Firewall Settings
+description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall.
ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
index 6d74ea9356..2fec691406 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
@@ -1,6 +1,6 @@
---
title: Checklist Implementing a Basic Firewall Policy Design (Windows 10)
-description: Checklist Implementing a Basic Firewall Policy Design
+description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation.
ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
index 2c12d1140a..873ee01d4f 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Authentication Request Rule (Windows 10)
-description: Create an Authentication Request Rule
+description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate.
ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
index 354ed24f32..d1211abf11 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Outbound Program or Service Rule (Windows 10)
-description: Create an Outbound Program or Service Rule
+description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules.
ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 15c54f8ada..e7201d21c3 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -74,8 +74,8 @@ Comma separated list of local addresses covered by the rule. Valid tokens includ
- \* indicates any local address. If present, this must be the only token included.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask default is 255.255.255.255.
- A valid IPv6 address.
-- An IPv4 address range in the format of "start address - end address" with no spaces included.
-- An IPv6 address range in the format of "start address - end address" with no spaces included. Default is Any address.
+- An IPv4 address range in the format of "start address-end address" with no spaces included.
+- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address.
[Learn more](https://aka.ms/intunefirewalllocaladdressrule)
@@ -93,8 +93,8 @@ List of comma separated tokens specifying the remote addresses covered by the ru
- LocalSubnet indicates any local address on the local subnet.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address.
-- An IPv4 address range in the format of "start address - end address" with no spaces included.
-- An IPv6 address range in the format of "start address - end address" with no spaces included.
+- An IPv4 address range in the format of "start address-end address" with no spaces included.
+- An IPv6 address range in the format of "start address-end address" with no spaces included.
Default is Any address.
diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index d67461d012..95428bb9b0 100644
--- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -1,6 +1,6 @@
---
title: Designing a Windows Defender Firewall Strategy (Windows 10)
-description: Designing a Windows Defender Firewall with Advanced Security Strategy
+description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy.
ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
index 5911a0bedc..f66bc68daa 100644
--- a/windows/security/threat-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -1,6 +1,6 @@
---
title: Exemption List (Windows 10)
-description: Exemption List
+description: Learn the ins and outs of exemption lists on a secured network using Windows 10.
ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8
ms.reviewer:
ms.author: dansimp
@@ -23,7 +23,7 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
-When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.
+When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.
In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list.
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 0c27975e1b..dc11219314 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -1,6 +1,6 @@
---
title: Gathering Info about Your Network Infrastructure (Windows 10)
-description: Gathering Information about Your Current Network Infrastructure
+description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment.
ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index eda2c2ccc5..bc1c471475 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -1,6 +1,6 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10)
-description: GPO\_DOMISO\_IsolatedDomain\_Clients
+description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index bfe618f15f..de34b9c3ad 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -1,6 +1,6 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10)
-description: GPO\_DOMISO\_IsolatedDomain\_Servers
+description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 0798ba72d5..2183c3f911 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Isolation Groups for the Zones (Windows 10)
-description: Planning Isolation Groups for the Zones
+description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs
ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695
ms.reviewer:
ms.author: dansimp
@@ -25,7 +25,8 @@ ms.date: 04/19/2017
Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone.
->**Caution:** Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others.
+> [!CAUTION]
+> Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others.
Universal groups are the best option to use for GPO assignment because they apply to the whole forest and reduce the number of groups that must be managed. However, if universal groups are unavailable, you can use domain global groups instead.
diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index e8ec3acdbe..ba9cedf313 100644
--- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
---
title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows 10)
-description: Planning to Deploy Windows Defender Firewall with Advanced Security
+description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization.
ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index b34c8d48ea..117070ef88 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -1,6 +1,6 @@
---
title: Restrict Access to Only Specified Users or Devices (Windows 10)
-description: Restrict Access to Only Specified Users or Devices
+description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security.
ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
index 223595ed41..92f54d794a 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
@@ -1,6 +1,6 @@
---
title: Restrict Server Access to Members of a Group Only (Windows 10)
-description: Restrict Server Access to Members of a Group Only
+description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group.
ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png b/windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png
new file mode 100644
index 0000000000..ef004facab
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png b/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png
new file mode 100644
index 0000000000..8f94ffe396
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png b/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png
new file mode 100644
index 0000000000..bad3e1c0b3
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png b/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png
new file mode 100644
index 0000000000..fe3245e60a
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png b/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png
new file mode 100644
index 0000000000..ee8aa78bbc
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png b/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png
new file mode 100644
index 0000000000..94be89b74f
Binary files /dev/null and b/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
new file mode 100644
index 0000000000..db22ee475a
--- /dev/null
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
@@ -0,0 +1,62 @@
+---
+title: Windows Sandbox architecture
+description:
+ms.prod: w10
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection:
+ms.topic: article
+ms.localizationpriority:
+ms.date:
+ms.reviewer:
+---
+
+# Windows Sandbox architecture
+
+Windows Sandbox benefits from new container technology in Windows to achieve a combination of security, density, and performance that isn't available in traditional VMs.
+
+## Dynamically generated image
+
+Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Base Image technology leverages the copy of Windows already installed on the host.
+
+Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and cannot be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. By using this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an additional copy of Windows.
+
+Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space.
+
+
+
+## Memory management
+
+Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process.
+
+
+
+## Memory sharing
+
+Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
+
+
+
+## Integrated kernel scheduler
+
+With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
+
+
+
+Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This means that the most important work will be prioritized, whether it's on the host or in the container.
+
+## WDDM GPU virtualization
+
+Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
+
+This allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host.
+
+
+
+To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP).
+
+## Battery pass-through
+
+Windows Sandbox is also aware of the host's battery state, which allows it to optimize its power consumption. This functionality is critical for technology that is used on laptops, where battery life is often critical.
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
new file mode 100644
index 0000000000..2ac125c33b
--- /dev/null
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -0,0 +1,216 @@
+---
+title: Windows Sandbox configuration
+description:
+ms.prod: w10
+audience: ITPro
+author: dansimp
+ms.author: dansimp
+manager: dansimp
+ms.collection:
+ms.topic: article
+ms.localizationpriority:
+ms.date:
+ms.reviewer:
+---
+
+# Windows Sandbox configuration
+
+Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later.
+
+Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension. To use a configuration file, double-click it to open it in the sandbox. You can also invoke it via the command line as shown here:
+
+**C:\Temp> MyConfigFile.wsb**
+
+ A configuration file enables the user to control the following aspects of Windows Sandbox:
+- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
+- **Networking**: Enable or disable network access within the sandbox.
+- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
+- **Logon command**: A command that's executed when Windows Sandbox starts.
+- **Audio input**: Shares the host's microphone input into the sandbox.
+- **Video input**: Shares the host's webcam input into the sandbox.
+- **Protected client**: Places increased security settings on the RDP session to the sandbox.
+- **Printer redirection**: Shares printers from the host into the sandbox.
+- **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
+- **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox.
+
+**Keywords, values, and limits**
+
+**vGPU**: Enables or disables GPU sharing.
+
+`
**Set -VMProcessor -VMName \
[1803 (RS4)](https://docs.microsoft.com/archive/blogs/secguide/security-baseline-for-windows-10-v1803-redstone-4-draft)
[1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/)
[1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/)
[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)
[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/)
[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2018
March 2018
October 2017
August 2017
October 2016
January 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index d944485086..32282b709b 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -27,6 +27,8 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
- Windows 10 security baselines
+ - Windows 10 Version 1909 (November 2019 Update)
+ - Windows 10 Version 1903 (April 2019 Update)
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1709 (Fall Creators Update)
@@ -41,7 +43,11 @@ The Security Compliance Toolkit consists of:
- Windows Server 2012 R2
- Microsoft Office security baseline
+ - Office 365 Pro Plus
- Office 2016
+
+- Microsoft Edge security baseline
+ - Edge Browser Version 80
- Tools
- Policy Analyzer tool
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index ef9b4541f0..0aaaa4cb45 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -95,7 +95,8 @@ Windows Defender Application Guard hardens a favorite attacker entry-point by is
### Window Defender Exploit Guard
-Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/network-protection).
+Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).
+
### Windows Defender Device Guard
@@ -149,3 +150,7 @@ Several network stack enhancements are available in this release. Some of these
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.
+[Threat protection on Windows 10](https://docs.microsoft.com/windows/security/threat-protection/):Detects advanced attacks and data breaches, automates security incidents and improves security posture.
+
+
+
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index f13c8d694c..ec640e3eea 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -53,7 +53,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
## Servicing
-- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
+- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 89e6ad37a5..6d20ec5fa7 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -72,13 +72,13 @@ This update includes 5 fixes to allow the host to run down-level containers on u
[Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) (WVD) is now generally available globally!
-Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant.
+Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant.
## Deployment
#### Microsoft Endpoint Manager
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now are [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
### Windows 10 Pro and Enterprise in S mode
