diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 89eeea7716..d3069c4d21 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1005,11 +1005,7 @@
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction",
"redirect_document_id": true
},
-{
-"source_path": "windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue",
-"redirect_document_id": true
-},
+
{
"source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
@@ -1611,12 +1607,22 @@
"redirect_document_id": true
},
{
+"source_path": "windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/use-apis",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/use-apis.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/preferences-setup",
"redirect_document_id": true
},
@@ -1696,6 +1702,16 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/response-actions.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection",
"redirect_document_id": true
@@ -1811,11 +1827,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp",
-"redirect_document_id": true
-},
-{
"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-overview.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview",
"redirect_document_id": true
@@ -12036,11 +12047,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md",
-"redirect_url": "/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection",
-"redirect_document_id": true
-},
-{
"source_path": "windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md",
"redirect_url": "/windows/device-security/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies",
"redirect_document_id": true
@@ -12191,11 +12197,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md",
-"redirect_url": "/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection",
-"redirect_document_id": true
-},
-{
"source_path": "windows/keep-secure/restore-files-and-directories.md",
"redirect_url": "/windows/device-security/security-policy-settings/restore-files-and-directories",
"redirect_document_id": true
@@ -14446,11 +14447,6 @@
"redirect_document_id": true
},
{
-"source_path":"windows/security/threat-protection/windows-defender-atp/use-apis.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/use-apis",
-"redirect_document_id": false
-},
-{
"source_path":"windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp",
"redirect_document_id": false
@@ -14796,6 +14792,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/get-started.md",
+"redirect_url": "/windows/security/threat-protection/index.md",
+"redirect_document_id": true
+},
+{
"source_path": "windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis",
"redirect_document_id": false
@@ -14956,11 +14957,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/windows-defender-atp/incidents-queue.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/incidents-queue",
-"redirect_document_id": true
-},
-{
"source_path": "windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis",
"redirect_document_id": false
@@ -15041,6 +15037,31 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-atp/incidents-queue.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/incidents-queue",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp",
+"redirect_document_id": true
+},
+{
+"source_path":"windows/security/threat-protection/windows-defender-atp/use-apis.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/use-apis",
+"redirect_document_id": false
+},
+{
"source_path": "windows/security/threat-protection/windows-defender-atp/user-alert-windows-defender-advanced-threat-protection-new.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/user",
"source_path": "windows/deployment/planning/windows-10-fall-creators-deprecation.md",
@@ -15063,18 +15084,23 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
+"redirect_document_id": false
+},
+{
"source_path": "windows/security/threat-protection/windows-defender-atp/manage-indicators-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/manage-indicators",
"redirect_document_id": true
},
{
-"source_path": "windows/deployment/windows-10-enterprise-subscription-activation.md",
-"redirect_url": "/windows/deployment/windows-10-subscription-activation",
-"redirect_document_id": true
+"source_path": "windows/security/threat-protection/windows-defender-atp/manage-indicators.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list",
+"redirect_document_id": false
},
{
-"source_path": "windows/security/threat-protection/windows-defender-atp/manage-indicators.md",
-"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
+"source_path": "windows/deployment/windows-10-enterprise-subscription-activation.md",
+"redirect_url": "/windows/deployment/windows-10-subscription-activation",
"redirect_document_id": true
},
{
diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json
index 5944d644ce..730c9d7ac2 100644
--- a/browsers/edge/docfx.json
+++ b/browsers/edge/docfx.json
@@ -7,7 +7,9 @@
"**/*.yml"
],
"exclude": [
- "**/obj/**"
+ "**/obj/**",
+ "**/includes/**",
+ "**/shortdesc/**"
]
}
],
@@ -28,7 +30,10 @@
"breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge",
+ "audience": "ITPro",
"ms.topic": "article",
+ "manager": "laurawi",
+ "ms.prod": "edge",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
index bddff62c1d..c7882f76e7 100644
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@@ -45,7 +45,7 @@ If you're having trouble deciding whether Microsoft Edge is right for your organ
## Configure the Enterprise Mode Site List
-[Available policy options](includes/configure-enterprise-mode-site-list-include.md)
+[!INCLUDE [Available policy options](includes/configure-enterprise-mode-site-list-include.md)]
## Related topics
diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md
index d22ca7fe3b..3a7671c32a 100644
--- a/browsers/edge/includes/allow-adobe-flash-include.md
+++ b/browsers/edge/includes/allow-adobe-flash-include.md
@@ -1,45 +1,46 @@
----
-author: eavena
-ms.author: eravena
-ms.date: 10/02/2018
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-
->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled or not configured (Allowed)*
-
-[!INCLUDE [allow-adobe-flash-shortdesc](../shortdesc/allow-adobe-flash-shortdesc.md)]
-
-### Supported values
-
-| Group Policy | MDM | Registry | Description |
-|-----------------------|:---:|:--------:|-------------|
-| Disabled | 0 | 0 | Prevented |
-| Enabled **(default)** | 1 | 1 | Allowed |
-
----
-
-### ADMX info and settings
-
-#### ADMX info
-- **GP English name:** Allow Adobe Flash
-- **GP name:** AllowFlash
-- **GP path:** Windows Components/Microsoft Edge
-- **GP ADMX file name:** MicrosoftEdge.admx
-
-#### MDM settings
-- **MDM name:** Browser/[AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowflash)
-- **Supported devices:** Desktop
-- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash
-- **Data type:** Integer
-
-#### Registry settings
-- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Addons
-- **Value name:** FlashPlayerEnabled
-- **Value type:** REG_DWORD
-
-
+---
+author: eavena
+ms.author: eravena
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled or not configured (Allowed)*
+
+[!INCLUDE [allow-adobe-flash-shortdesc](../shortdesc/allow-adobe-flash-shortdesc.md)]
+
+### Supported values
+
+| Group Policy | MDM | Registry | Description |
+|-----------------------|:---:|:--------:|-------------|
+| Disabled | 0 | 0 | Prevented |
+| Enabled **(default)** | 1 | 1 | Allowed |
+
+---
+
+### ADMX info and settings
+
+#### ADMX info
+- **GP English name:** Allow Adobe Flash
+- **GP name:** AllowFlash
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowflash)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Addons
+- **Value name:** FlashPlayerEnabled
+- **Value type:** REG_DWORD
+
+
diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md
index 66ad97e9f7..0c02984f58 100644
--- a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md
+++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md
@@ -38,8 +38,9 @@
### Related Policies
-[Show message opening sites in IE](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE
-[show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)]
+[Show message opening sites in IE](../available-policies.md#show-message-when-opening-sites-in-internet-explorer)
+
+[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)]
### Related topics
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index 5150d172c9..9781a1de92 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -1,265 +1,266 @@
----
-title: Deploy Microsoft Edge kiosk mode
-description: Microsoft Edge kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access.
-ms.assetid:
-ms.reviewer:
-audience: itpro
manager: dansimp
-author: eavena
-ms.author: eravena
-ms.prod: edge
-ms.sitesec: library
-ms.topic: get-started-article
-ms.localizationpriority: medium
-ms.date: 10/29/2018
----
-
-# Deploy Microsoft Edge kiosk mode
-
->Applies to: Microsoft Edge on Windows 10, version 1809
->Professional, Enterprise, and Education
-
-In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode.
-
-In this topic, you learn how to configure the behavior of Microsoft Edge when it's running in kiosk mode with assigned access. You also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or other MDM service.
-
-At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support.
-
-
-## Kiosk mode configuration types
-
->**Policy** = Configure kiosk mode (ConfigureKioskMode)
-
-Microsoft Edge kiosk mode supports four configurations types that depend on how Microsoft Edge is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.
-
-- Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image)
-
- - [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage)
-
- - [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps).
-
-- Learn about configuring a more secure kiosk experience: [Other settings to lock down](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down).
-
-
-### Important things to remember before getting started
-
-- The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks.
-
-- Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own.
-
-- Optionally, you can define a single URL for the Home button, Start page, and New Tab page. See [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode) to learn more.
-
-- No matter which configuration type you choose, you must set up Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode).
Learn more about assigned access:
-
- - [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw).
-
- - [Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4).
-
- - [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3).
-
-
-### Supported configuration types
-
-[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)]
-
-## Set up Microsoft Edge kiosk mode
-
-Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge kiosk mode:
-
-- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service.
-
-- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode).
-
-
-### Prerequisites
-
-- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
-
-- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page.
-
-- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge:
-
- ```
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
- ```
-
-
-### Use Windows Settings
-
-Windows Settings is the simplest and the only way to set up one or a couple of single-app devices.
-
-
-1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**.
-
-2. On the **Set up a kiosk** page, click **Get started**.
-
-3. Type a name to create a new kiosk account, or choose an existing account from the populated list and click **Next**.
-
-4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**.
-
-5. Select how Microsoft Edge displays when running in kiosk mode:
-
- - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.
-
- - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge, protecting user data.
-
-6. Select **Next**.
-
-7. Type the URL to load when the kiosk launches.
-
-8. Accept the default value of **5 minutes** for the idle time or provide a value of your own.
-
-9. Click **Next**.
-
-10. Close the **Settings** window to save and apply your choices.
-
-11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration.
-
-**_Congratulations!_**
You’ve just finished setting up a single-app kiosk device using Windows Settings.
-
-**_What's next?_**
-
-- User your new kiosk device.
- OR
-- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
-
----
-
-
-### Use Microsoft Intune or other MDM service
-
-With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
-
->[!IMPORTANT]
->If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device.
-
-1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
-
-2. Configure the following MDM settings to setup Microsoft Edge kiosk mode on the kiosk device and then restart the device.
-
- | | |
- |---|---|
- | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**
 | Configure the display mode for Microsoft Edge as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
**Single-app kiosk experience**
**0** - Digital signage and interactive display
**1** - InPrivate Public browsing
**Multi-app kiosk experience**
**0** - Normal Microsoft Edge running in assigned access
 | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets the user's session.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
**0** - No idle timer
**1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Set one or more start pages, URLs, to load when Microsoft Edge launches.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
**Data type:** String
**Allowed values:**
Enter one or more URLs, for example, \\ |
- | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**
 | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
**0 (default)** - Not configured. Show home button, and load the default Start page.
**1** - Enabled. Show home button and load New Tab page
**2** - Enabled. Show home button & set a specific page.
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com |
- | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**
 | Set a custom URL for the New Tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com |
-
-
-**_Congratulations!_**
You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service.
-
-**_What's next?_**
-*1) For multi-app assigned access, you must configure Internet Explorer 11.*
-*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.*
-
-**Legend:**
-  = Not applicable or not supported
-  = Supported
-
----
-
-## Feature comparison of kiosk mode and kiosk browser app
-In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
-
-
-| **Feature** | **Microsoft Edge kiosk mode** | **Microsoft Kiosk browser app** |
-|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:|
-| Print support |  |  |
-| Multi-tab support |  |  |
-| Allow/Block URL support | 
*\*For Microsoft Edge kiosk mode use* Windows Defender Firewall. Microsoft kiosk browser has custom policy support. |  |
-| Configure Home Button |  |  |
-| Set Start page(s) URL |  | 
*Same as Home button URL* |
-| Set New Tab page URL |  |  |
-| Favorites management |  |  |
-| End session button |  | 
*In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration introduced in version 1808.* |
-| Reset on inactivity |  |  |
-| Internet Explorer integration (Enterprise Mode site list) | 
*Multi-app mode only* |  |
-| Available in Microsoft Store |  |  |
-| SKU availability | Windows 10 October 2018 Update Professional, Enterprise, and Education | Windows 10 April 2018 Update Professional, Enterprise, and Education |
-
-**\*Windows Defender Firewall**
-To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide).
-
----
-
-## Provide feedback or get support
-
-To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
-
-**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
-
-
-
+---
+title: Deploy Microsoft Edge kiosk mode
+description: Microsoft Edge kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access.
+ms.assetid:
+ms.reviewer:
+audience: itpro
+manager: dansimp
+author: eavena
+ms.author: eravena
+ms.prod: edge
+ms.sitesec: library
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 10/29/2018
+---
+
+# Deploy Microsoft Edge kiosk mode
+
+>Applies to: Microsoft Edge on Windows 10, version 1809
+>Professional, Enterprise, and Education
+
+In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode.
+
+In this topic, you learn how to configure the behavior of Microsoft Edge when it's running in kiosk mode with assigned access. You also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or other MDM service.
+
+At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support.
+
+
+## Kiosk mode configuration types
+
+>**Policy** = Configure kiosk mode (ConfigureKioskMode)
+
+Microsoft Edge kiosk mode supports four configurations types that depend on how Microsoft Edge is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.
+
+- Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image)
+
+ - [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage)
+
+ - [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps).
+
+- Learn about configuring a more secure kiosk experience: [Other settings to lock down](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down).
+
+
+### Important things to remember before getting started
+
+- The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks.
+
+- Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own.
+
+- Optionally, you can define a single URL for the Home button, Start page, and New Tab page. See [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode) to learn more.
+
+- No matter which configuration type you choose, you must set up Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode).
Learn more about assigned access:
+
+ - [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw).
+
+ - [Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4).
+
+ - [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3).
+
+
+### Supported configuration types
+
+[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)]
+
+## Set up Microsoft Edge kiosk mode
+
+Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge kiosk mode:
+
+- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service.
+
+- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode).
+
+
+### Prerequisites
+
+- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
+
+- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page.
+
+- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge:
+
+ ```
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
+ ```
+
+
+### Use Windows Settings
+
+Windows Settings is the simplest and the only way to set up one or a couple of single-app devices.
+
+
+1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**.
+
+2. On the **Set up a kiosk** page, click **Get started**.
+
+3. Type a name to create a new kiosk account, or choose an existing account from the populated list and click **Next**.
+
+4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**.
+
+5. Select how Microsoft Edge displays when running in kiosk mode:
+
+ - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.
+
+ - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge, protecting user data.
+
+6. Select **Next**.
+
+7. Type the URL to load when the kiosk launches.
+
+8. Accept the default value of **5 minutes** for the idle time or provide a value of your own.
+
+9. Click **Next**.
+
+10. Close the **Settings** window to save and apply your choices.
+
+11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration.
+
+**_Congratulations!_**
You’ve just finished setting up a single-app kiosk device using Windows Settings.
+
+**_What's next?_**
+
+- User your new kiosk device.
+ OR
+- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
+
+---
+
+
+### Use Microsoft Intune or other MDM service
+
+With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
+
+>[!IMPORTANT]
+>If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device.
+
+1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
+
+2. Configure the following MDM settings to setup Microsoft Edge kiosk mode on the kiosk device and then restart the device.
+
+ | | |
+ |---|---|
+ | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**
 | Configure the display mode for Microsoft Edge as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
**Single-app kiosk experience**
**0** - Digital signage and interactive display
**1** - InPrivate Public browsing
**Multi-app kiosk experience**
**0** - Normal Microsoft Edge running in assigned access
 | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets the user's session.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
**0** - No idle timer
**1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Set one or more start pages, URLs, to load when Microsoft Edge launches.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
**Data type:** String
**Allowed values:**
Enter one or more URLs, for example, \\ |
+ | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**
 | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
**0 (default)** - Not configured. Show home button, and load the default Start page.
**1** - Enabled. Show home button and load New Tab page
**2** - Enabled. Show home button & set a specific page.
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com |
+ | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**
 | Set a custom URL for the New Tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com |
+
+
+**_Congratulations!_**
You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service.
+
+**_What's next?_**
+*1) For multi-app assigned access, you must configure Internet Explorer 11.*
+*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.*
+
+**Legend:**
+  = Not applicable or not supported
+  = Supported
+
+---
+
+## Feature comparison of kiosk mode and kiosk browser app
+In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
+
+
+| **Feature** | **Microsoft Edge kiosk mode** | **Microsoft Kiosk browser app** |
+|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:|
+| Print support |  |  |
+| Multi-tab support |  |  |
+| Allow/Block URL support | 
*\*For Microsoft Edge kiosk mode use* Windows Defender Firewall. Microsoft kiosk browser has custom policy support. |  |
+| Configure Home Button |  |  |
+| Set Start page(s) URL |  | 
*Same as Home button URL* |
+| Set New Tab page URL |  |  |
+| Favorites management |  |  |
+| End session button |  | 
*In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration introduced in version 1808.* |
+| Reset on inactivity |  |  |
+| Internet Explorer integration (Enterprise Mode site list) | 
*Multi-app mode only* |  |
+| Available in Microsoft Store |  |  |
+| SKU availability | Windows 10 October 2018 Update Professional, Enterprise, and Education | Windows 10 April 2018 Update Professional, Enterprise, and Education |
+
+**\*Windows Defender Firewall**
+To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide).
+
+---
+
+## Provide feedback or get support
+
+To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
+
+**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
+
+
+
diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
index c90d6b1c59..15560fccc7 100644
--- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
@@ -171,13 +171,13 @@ You can determine which zones or domains are used for data collection, using Pow
**To set up data collection using a domain allow list**
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
>**Important** Wildcards, like \*.microsoft.com, aren’t supported.
**To set up data collection using a zone allow list**
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
>**Important** Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
diff --git a/browsers/enterprise-mode/enterprise-mode.md b/browsers/enterprise-mode/enterprise-mode.md
index 3e22df673d..9e9f2933fe 100644
--- a/browsers/enterprise-mode/enterprise-mode.md
+++ b/browsers/enterprise-mode/enterprise-mode.md
@@ -5,7 +5,7 @@ ms.pagetype: security
description: Use this section to learn about how to turn on Enterprise Mode.
author: eavena
ms.author: eravena
-ms.prod: edge, ie11
+ms.prod: edge
ms.assetid:
ms.reviewer:
manager: dansimp
diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md
index 0fed701c19..c2812cb730 100644
--- a/browsers/internet-explorer/TOC.md
+++ b/browsers/internet-explorer/TOC.md
@@ -1,188 +1,188 @@
-#[IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md)
+# [IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md)
-##[Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md)
+## [Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md)
-##[System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md)
+## [System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md)
-##[List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md)
+## [List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md)
-##[Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md)
-###[Customize Internet Explorer 11 installation packages](ie11-deploy-guide/customize-ie11-install-packages.md)
-####[Using IEAK 11 to create packages](ie11-deploy-guide/using-ieak11-to-create-install-packages.md)
-####[Create packages for multiple operating systems or languages](ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md)
-####[Using .INF files to create packages](ie11-deploy-guide/using-inf-files-to-create-install-packages.md)
-###[Choose how to install Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-install-ie11.md)
-####[Install Internet Explorer 11 (IE11) - System Center 2012 R2 Configuration Manager](ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md)
-####[Install Internet Explorer 11 (IE11) - Windows Server Update Services (WSUS)](ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md)
-####[Install Internet Explorer 11 (IE11) - Microsoft Intune](ie11-deploy-guide/install-ie11-using-microsoft-intune.md)
-####[Install Internet Explorer 11 (IE11) - Network](ie11-deploy-guide/install-ie11-using-the-network.md)
-####[Install Internet Explorer 11 (IE11) - Operating system deployment systems](ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md)
-####[Install Internet Explorer 11 (IE11) - Third-party tools](ie11-deploy-guide/install-ie11-using-third-party-tools.md)
-###[Choose how to deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-deploy-ie11.md)
-####[Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)](ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md)
-####[Deploy Internet Explorer 11 using software distribution tools](ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md)
-###[Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md)
+## [Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md)
+### [Customize Internet Explorer 11 installation packages](ie11-deploy-guide/customize-ie11-install-packages.md)
+#### [Using IEAK 11 to create packages](ie11-deploy-guide/using-ieak11-to-create-install-packages.md)
+#### [Create packages for multiple operating systems or languages](ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md)
+#### [Using .INF files to create packages](ie11-deploy-guide/using-inf-files-to-create-install-packages.md)
+### [Choose how to install Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-install-ie11.md)
+#### [Install Internet Explorer 11 (IE11) - System Center 2012 R2 Configuration Manager](ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md)
+#### [Install Internet Explorer 11 (IE11) - Windows Server Update Services (WSUS)](ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md)
+#### [Install Internet Explorer 11 (IE11) - Microsoft Intune](ie11-deploy-guide/install-ie11-using-microsoft-intune.md)
+#### [Install Internet Explorer 11 (IE11) - Network](ie11-deploy-guide/install-ie11-using-the-network.md)
+#### [Install Internet Explorer 11 (IE11) - Operating system deployment systems](ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md)
+#### [Install Internet Explorer 11 (IE11) - Third-party tools](ie11-deploy-guide/install-ie11-using-third-party-tools.md)
+### [Choose how to deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-deploy-ie11.md)
+#### [Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)](ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md)
+#### [Deploy Internet Explorer 11 using software distribution tools](ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md)
+### [Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md)
-##[Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md)
+## [Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md)
-##[Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md)
-###[Tips and tricks to manage Internet Explorer compatibility](ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md)
-###[Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md)
-###[Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md)
-###[Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md)
-###[Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md)
-###[Enterprise Mode schema v.1 guidance](ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md)
-###[Check for a new Enterprise Mode site list xml file](ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md)
-###[Turn on local control and logging for Enterprise Mode](ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md)
-###[Use the Enterprise Mode Site List Manager](ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md)
-####[Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
-####[Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
-####[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
-####[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
-####[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md)
-####[Fix validation problems using the Enterprise Mode Site List Manager](ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md)
-####[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-####[Save your site list to XML in the Enterprise Mode Site List Manager](ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md)
-####[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md)
-####[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md)
-####[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-####[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-###[Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md)
-####[Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md)
-#####[Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md)
-#####[Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md)
-####[Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md)
-#####[Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md)
-#####[Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md)
-#####[Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md)
-#####[Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md)
-#####[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md)
-#####[View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md)
-#####[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md)
-###[Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md)
-###[Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md)
-###[Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md)
-###[Remove sites from a local compatibility view list](ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md)
-###[Turn off Enterprise Mode](ie11-deploy-guide/turn-off-enterprise-mode.md)
+## [Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md)
+### [Tips and tricks to manage Internet Explorer compatibility](ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md)
+### [Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md)
+### [Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md)
+### [Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md)
+### [Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md)
+### [Enterprise Mode schema v.1 guidance](ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md)
+### [Check for a new Enterprise Mode site list xml file](ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md)
+### [Turn on local control and logging for Enterprise Mode](ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md)
+### [Use the Enterprise Mode Site List Manager](ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md)
+#### [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
+#### [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
+#### [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
+#### [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
+#### [Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md)
+#### [Fix validation problems using the Enterprise Mode Site List Manager](ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md)
+#### [Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
+#### [Save your site list to XML in the Enterprise Mode Site List Manager](ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md)
+#### [Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md)
+#### [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md)
+#### [Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
+#### [Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
+### [Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md)
+#### [Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md)
+##### [Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md)
+##### [Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md)
+#### [Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md)
+##### [Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md)
+##### [Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md)
+##### [Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md)
+##### [Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md)
+##### [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md)
+##### [View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md)
+##### [View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md)
+### [Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md)
+### [Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md)
+### [Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md)
+### [Remove sites from a local compatibility view list](ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md)
+### [Turn off Enterprise Mode](ie11-deploy-guide/turn-off-enterprise-mode.md)
-##[Group Policy and Internet Explorer 11 (IE11)](ie11-deploy-guide/group-policy-and-ie11.md)
-###[Group Policy management tools](ie11-deploy-guide/group-policy-objects-and-ie11.md)
-####[Group Policy and the Group Policy Management Console (GPMC)](ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md)
-####[Group Policy and the Local Group Policy Editor](ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md)
-####[Group Policy and Advanced Group Policy Management (AGPM)](ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md)
-####[Group Policy and Windows Powershell](ie11-deploy-guide/group-policy-windows-powershell-ie11.md)
-####[Group Policy and Shortcut Extensions](ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md)
-###[New group policy settings for Internet Explorer 11](ie11-deploy-guide/new-group-policy-settings-for-ie11.md)
-###[Set the default browser using Group Policy](ie11-deploy-guide/set-the-default-browser-using-group-policy.md)
-###[ActiveX installation using group policy](ie11-deploy-guide/activex-installation-using-group-policy.md)
-###[Group Policy and compatibility with Internet Explorer 11](ie11-deploy-guide/group-policy-compatibility-with-ie11.md)
-###[Group policy preferences and Internet Explorer 11](ie11-deploy-guide/group-policy-preferences-and-ie11.md)
-###[Administrative templates and Internet Explorer 11](ie11-deploy-guide/administrative-templates-and-ie11.md)
-###[Enable and disable add-ons using administrative templates and group policy](ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md)
+## [Group Policy and Internet Explorer 11 (IE11)](ie11-deploy-guide/group-policy-and-ie11.md)
+### [Group Policy management tools](ie11-deploy-guide/group-policy-objects-and-ie11.md)
+#### [Group Policy and the Group Policy Management Console (GPMC)](ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md)
+#### [Group Policy and the Local Group Policy Editor](ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md)
+#### [Group Policy and Advanced Group Policy Management (AGPM)](ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md)
+#### [Group Policy and Windows Powershell](ie11-deploy-guide/group-policy-windows-powershell-ie11.md)
+#### [Group Policy and Shortcut Extensions](ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md)
+### [New group policy settings for Internet Explorer 11](ie11-deploy-guide/new-group-policy-settings-for-ie11.md)
+### [Set the default browser using Group Policy](ie11-deploy-guide/set-the-default-browser-using-group-policy.md)
+### [ActiveX installation using group policy](ie11-deploy-guide/activex-installation-using-group-policy.md)
+### [Group Policy and compatibility with Internet Explorer 11](ie11-deploy-guide/group-policy-compatibility-with-ie11.md)
+### [Group policy preferences and Internet Explorer 11](ie11-deploy-guide/group-policy-preferences-and-ie11.md)
+### [Administrative templates and Internet Explorer 11](ie11-deploy-guide/administrative-templates-and-ie11.md)
+### [Enable and disable add-ons using administrative templates and group policy](ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md)
-##[Manage Internet Explorer 11](ie11-deploy-guide/manage-ie11-overview.md)
-###[Auto detect settings Internet Explorer 11](ie11-deploy-guide/auto-detect-settings-for-ie11.md)
-###[Auto configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-configuration-settings-for-ie11.md)
-###[Auto proxy configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md)
+## [Manage Internet Explorer 11](ie11-deploy-guide/manage-ie11-overview.md)
+### [Auto detect settings Internet Explorer 11](ie11-deploy-guide/auto-detect-settings-for-ie11.md)
+### [Auto configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-configuration-settings-for-ie11.md)
+### [Auto proxy configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md)
-##[Troubleshoot Internet Explorer 11 (IE11)](ie11-deploy-guide/troubleshoot-ie11.md)
-###[Setup problems with Internet Explorer 11](ie11-deploy-guide/setup-problems-with-ie11.md)
-###[Install problems with Internet Explorer 11](ie11-deploy-guide/install-problems-with-ie11.md)
-###[Problems after installing Internet Explorer 11](ie11-deploy-guide/problems-after-installing-ie11.md)
-###[Auto configuration and auto proxy problems with Internet Explorer 11](ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md)
-###[User interface problems with Internet Explorer 11](ie11-deploy-guide/user-interface-problems-with-ie11.md)
-###[Group Policy problems with Internet Explorer 11](ie11-deploy-guide/group-policy-problems-ie11.md)
-###[.NET Framework problems with Internet Explorer 11](ie11-deploy-guide/net-framework-problems-with-ie11.md)
-###[Enhanced Protected Mode problems with Internet Explorer](ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md)
-###[Fix font rendering problems by turning off natural metrics](ie11-deploy-guide/turn-off-natural-metrics.md)
-###[Intranet problems with Internet Explorer 11](ie11-deploy-guide/intranet-problems-and-ie11.md)
-###[Browser cache changes and roaming profiles](ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md)
+## [Troubleshoot Internet Explorer 11 (IE11)](ie11-deploy-guide/troubleshoot-ie11.md)
+### [Setup problems with Internet Explorer 11](ie11-deploy-guide/setup-problems-with-ie11.md)
+### [Install problems with Internet Explorer 11](ie11-deploy-guide/install-problems-with-ie11.md)
+### [Problems after installing Internet Explorer 11](ie11-deploy-guide/problems-after-installing-ie11.md)
+### [Auto configuration and auto proxy problems with Internet Explorer 11](ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md)
+### [User interface problems with Internet Explorer 11](ie11-deploy-guide/user-interface-problems-with-ie11.md)
+### [Group Policy problems with Internet Explorer 11](ie11-deploy-guide/group-policy-problems-ie11.md)
+### [.NET Framework problems with Internet Explorer 11](ie11-deploy-guide/net-framework-problems-with-ie11.md)
+### [Enhanced Protected Mode problems with Internet Explorer](ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md)
+### [Fix font rendering problems by turning off natural metrics](ie11-deploy-guide/turn-off-natural-metrics.md)
+### [Intranet problems with Internet Explorer 11](ie11-deploy-guide/intranet-problems-and-ie11.md)
+### [Browser cache changes and roaming profiles](ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md)
-##[Out-of-date ActiveX control blocking](ie11-deploy-guide/out-of-date-activex-control-blocking.md)
-###[Blocked out-of-date ActiveX controls](ie11-deploy-guide/blocked-out-of-date-activex-controls.md)
+## [Out-of-date ActiveX control blocking](ie11-deploy-guide/out-of-date-activex-control-blocking.md)
+### [Blocked out-of-date ActiveX controls](ie11-deploy-guide/blocked-out-of-date-activex-controls.md)
-##[Deprecated document modes and Internet Explorer 11](ie11-deploy-guide/deprecated-document-modes.md)
+## [Deprecated document modes and Internet Explorer 11](ie11-deploy-guide/deprecated-document-modes.md)
-##[What is the Internet Explorer 11 Blocker Toolkit?](ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md)
-###[Internet Explorer 11 delivery through automatic updates](ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
-###[Internet Explorer 11 Blocker Toolkit FAQ](ie11-faq/faq-ie11-blocker-toolkit.md)
+## [What is the Internet Explorer 11 Blocker Toolkit?](ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md)
+### [Internet Explorer 11 delivery through automatic updates](ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
+### [Internet Explorer 11 Blocker Toolkit FAQ](ie11-faq/faq-ie11-blocker-toolkit.md)
-##[Missing Internet Explorer Maintenance settings for Internet Explorer 11](ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md)
+## [Missing Internet Explorer Maintenance settings for Internet Explorer 11](ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md)
-##[Missing the Compatibility View Button](ie11-deploy-guide/missing-the-compatibility-view-button.md)
+## [Missing the Compatibility View Button](ie11-deploy-guide/missing-the-compatibility-view-button.md)
-##[Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md)
+## [Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md)
-#[IE11 Frequently Asked Questions (FAQ) Guide for IT Pros](ie11-faq/faq-for-it-pros-ie11.md)
+# [IE11 Frequently Asked Questions (FAQ) Guide for IT Pros](ie11-faq/faq-for-it-pros-ie11.md)
-#[Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](ie11-ieak/index.md)
-##[What IEAK can do for you](ie11-ieak/what-ieak-can-do-for-you.md)
-##[Internet Explorer Administration Kit (IEAK) information and downloads](ie11-ieak/ieak-information-and-downloads.md)
-##[Before you start using IEAK 11](ie11-ieak/before-you-create-custom-pkgs-ieak11.md)
-###[Hardware and software requirements for IEAK 11](ie11-ieak/hardware-and-software-reqs-ieak11.md)
-###[Determine the licensing version and features to use in IEAK 11](ie11-ieak/licensing-version-and-features-ieak11.md)
-###[Security features and IEAK 11](ie11-ieak/security-and-ieak11.md)
-###[File types used or created by IEAK 11](ie11-ieak/file-types-ieak11.md)
-###[Tasks and references to consider before creating and deploying custom packages using IEAK 11](ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md)
-###[Create the build computer folder structure using IEAK 11](ie11-ieak/create-build-folder-structure-ieak11.md)
-###[Set up auto detection for DHCP or DNS servers using IEAK 11](ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md)
-###[Use proxy auto-configuration (.pac) files with IEAK 11](ie11-ieak/proxy-auto-config-examples.md)
-###[Customize the toolbar button and Favorites List icons using IEAK 11](ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md)
-###[Use the uninstallation .INF files to uninstall custom components](ie11-ieak/create-uninstall-inf-files-for-custom-components.md)
-###[Add and approve ActiveX controls using the IEAK 11](ie11-ieak/add-and-approve-activex-controls-ieak11.md)
-###[Register an uninstall app for custom components using IEAK 11](ie11-ieak/register-uninstall-app-ieak11.md)
-###[Customize Automatic Search for Internet Explorer using IEAK 11](ie11-ieak/customize-automatic-search-for-ie.md)
-###[Create multiple versions of your custom package using IEAK 11](ie11-ieak/create-multiple-browser-packages-ieak11.md)
-###[Before you install your package over your network using IEAK 11](ie11-ieak/prep-network-install-with-ieak11.md)
-###[Use the RSoP snap-in to review policy settings](ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md)
-###[IEAK 11 - Frequently Asked Questions](ie11-faq/faq-ieak11.md)
-###[Troubleshoot custom package and IEAK 11 problems](ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md)
+# [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](ie11-ieak/index.md)
+## [What IEAK can do for you](ie11-ieak/what-ieak-can-do-for-you.md)
+## [Internet Explorer Administration Kit (IEAK) information and downloads](ie11-ieak/ieak-information-and-downloads.md)
+## [Before you start using IEAK 11](ie11-ieak/before-you-create-custom-pkgs-ieak11.md)
+### [Hardware and software requirements for IEAK 11](ie11-ieak/hardware-and-software-reqs-ieak11.md)
+### [Determine the licensing version and features to use in IEAK 11](ie11-ieak/licensing-version-and-features-ieak11.md)
+### [Security features and IEAK 11](ie11-ieak/security-and-ieak11.md)
+### [File types used or created by IEAK 11](ie11-ieak/file-types-ieak11.md)
+### [Tasks and references to consider before creating and deploying custom packages using IEAK 11](ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md)
+### [Create the build computer folder structure using IEAK 11](ie11-ieak/create-build-folder-structure-ieak11.md)
+### [Set up auto detection for DHCP or DNS servers using IEAK 11](ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md)
+### [Use proxy auto-configuration (.pac) files with IEAK 11](ie11-ieak/proxy-auto-config-examples.md)
+### [Customize the toolbar button and Favorites List icons using IEAK 11](ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md)
+### [Use the uninstallation .INF files to uninstall custom components](ie11-ieak/create-uninstall-inf-files-for-custom-components.md)
+### [Add and approve ActiveX controls using the IEAK 11](ie11-ieak/add-and-approve-activex-controls-ieak11.md)
+### [Register an uninstall app for custom components using IEAK 11](ie11-ieak/register-uninstall-app-ieak11.md)
+### [Customize Automatic Search for Internet Explorer using IEAK 11](ie11-ieak/customize-automatic-search-for-ie.md)
+### [Create multiple versions of your custom package using IEAK 11](ie11-ieak/create-multiple-browser-packages-ieak11.md)
+### [Before you install your package over your network using IEAK 11](ie11-ieak/prep-network-install-with-ieak11.md)
+### [Use the RSoP snap-in to review policy settings](ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md)
+### [IEAK 11 - Frequently Asked Questions](ie11-faq/faq-ieak11.md)
+### [Troubleshoot custom package and IEAK 11 problems](ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md)
-##[Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ie11-ieak/ieak11-wizard-custom-options.md)
-###[Use the File Locations page in the IEAK 11 Wizard](ie11-ieak/file-locations-ieak11-wizard.md)
-###[Use the Platform Selection page in the IEAK 11 Wizard](ie11-ieak/platform-selection-ieak11-wizard.md)
-###[Use the Language Selection page in the IEAK 11 Wizard](ie11-ieak/language-selection-ieak11-wizard.md)
-###[Use the Package Type Selection page in the IEAK 11 Wizard](ie11-ieak/pkg-type-selection-ieak11-wizard.md)
-###[Use the Feature Selection page in the IEAK 11 Wizard](ie11-ieak/feature-selection-ieak11-wizard.md)
-###[Use the Automatic Version Synchronization page in the IEAK 11 Wizard](ie11-ieak/auto-version-sync-ieak11-wizard.md)
-###[Use the Custom Components page in the IEAK 11 Wizard](ie11-ieak/custom-components-ieak11-wizard.md)
-###[Use the Internal Install page in the IEAK 11 Wizard](ie11-ieak/internal-install-ieak11-wizard.md)
-###[Use the User Experience page in the IEAK 11 Wizard](ie11-ieak/user-experience-ieak11-wizard.md)
-###[Use the Browser User Interface page in the IEAK 11 Wizard](ie11-ieak/browser-ui-ieak11-wizard.md)
-###[Use the Search Providers page in the IEAK 11 Wizard](ie11-ieak/search-providers-ieak11-wizard.md)
-###[Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md)
-###[Use the Accelerators page in the IEAK 11 Wizard](ie11-ieak/accelerators-ieak11-wizard.md)
-###[Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md)
-###[Use the Browsing Options page in the IEAK 11 Wizard](ie11-ieak/browsing-options-ieak11-wizard.md)
-###[Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md)
-###[Use the Compatibility View page in the IEAK 11 Wizard](ie11-ieak/compat-view-ieak11-wizard.md)
-###[Use the Connection Manager page in the IEAK 11 Wizard](ie11-ieak/connection-mgr-ieak11-wizard.md)
-###[Use the Connection Settings page in the IEAK 11 Wizard](ie11-ieak/connection-settings-ieak11-wizard.md)
-###[Use the Automatic Configuration page in the IEAK 11 Wizard](ie11-ieak/auto-config-ieak11-wizard.md)
-###[Use the Proxy Settings page in the IEAK 11 Wizard](ie11-ieak/proxy-settings-ieak11-wizard.md)
-###[Use the Security and Privacy Settings page in the IEAK 11 Wizard](ie11-ieak/security-and-privacy-settings-ieak11-wizard.md)
-###[Use the Add a Root Certificate page in the IEAK 11 Wizard](ie11-ieak/add-root-certificate-ieak11-wizard.md)
-###[Use the Programs page in the IEAK 11 Wizard](ie11-ieak/programs-ieak11-wizard.md)
-###[Use the Additional Settings page in the IEAK 11 Wizard](ie11-ieak/additional-settings-ieak11-wizard.md)
-###[Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](ie11-ieak/wizard-complete-ieak11-wizard.md)
+## [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ie11-ieak/ieak11-wizard-custom-options.md)
+### [Use the File Locations page in the IEAK 11 Wizard](ie11-ieak/file-locations-ieak11-wizard.md)
+### [Use the Platform Selection page in the IEAK 11 Wizard](ie11-ieak/platform-selection-ieak11-wizard.md)
+### [Use the Language Selection page in the IEAK 11 Wizard](ie11-ieak/language-selection-ieak11-wizard.md)
+### [Use the Package Type Selection page in the IEAK 11 Wizard](ie11-ieak/pkg-type-selection-ieak11-wizard.md)
+### [Use the Feature Selection page in the IEAK 11 Wizard](ie11-ieak/feature-selection-ieak11-wizard.md)
+### [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](ie11-ieak/auto-version-sync-ieak11-wizard.md)
+### [Use the Custom Components page in the IEAK 11 Wizard](ie11-ieak/custom-components-ieak11-wizard.md)
+### [Use the Internal Install page in the IEAK 11 Wizard](ie11-ieak/internal-install-ieak11-wizard.md)
+### [Use the User Experience page in the IEAK 11 Wizard](ie11-ieak/user-experience-ieak11-wizard.md)
+### [Use the Browser User Interface page in the IEAK 11 Wizard](ie11-ieak/browser-ui-ieak11-wizard.md)
+### [Use the Search Providers page in the IEAK 11 Wizard](ie11-ieak/search-providers-ieak11-wizard.md)
+### [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md)
+### [Use the Accelerators page in the IEAK 11 Wizard](ie11-ieak/accelerators-ieak11-wizard.md)
+### [Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md)
+### [Use the Browsing Options page in the IEAK 11 Wizard](ie11-ieak/browsing-options-ieak11-wizard.md)
+### [Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md)
+### [Use the Compatibility View page in the IEAK 11 Wizard](ie11-ieak/compat-view-ieak11-wizard.md)
+### [Use the Connection Manager page in the IEAK 11 Wizard](ie11-ieak/connection-mgr-ieak11-wizard.md)
+### [Use the Connection Settings page in the IEAK 11 Wizard](ie11-ieak/connection-settings-ieak11-wizard.md)
+### [Use the Automatic Configuration page in the IEAK 11 Wizard](ie11-ieak/auto-config-ieak11-wizard.md)
+### [Use the Proxy Settings page in the IEAK 11 Wizard](ie11-ieak/proxy-settings-ieak11-wizard.md)
+### [Use the Security and Privacy Settings page in the IEAK 11 Wizard](ie11-ieak/security-and-privacy-settings-ieak11-wizard.md)
+### [Use the Add a Root Certificate page in the IEAK 11 Wizard](ie11-ieak/add-root-certificate-ieak11-wizard.md)
+### [Use the Programs page in the IEAK 11 Wizard](ie11-ieak/programs-ieak11-wizard.md)
+### [Use the Additional Settings page in the IEAK 11 Wizard](ie11-ieak/additional-settings-ieak11-wizard.md)
+### [Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](ie11-ieak/wizard-complete-ieak11-wizard.md)
-##[Using Internet Settings (.INS) files with IEAK 11](ie11-ieak/using-internet-settings-ins-files.md)
-###[Use the Branding .INS file to create custom branding and setup info](ie11-ieak/branding-ins-file-setting.md)
-###[Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar](ie11-ieak/browsertoolbars-ins-file-setting.md)
-###[Use the CabSigning .INS file to review the digital signatures for your apps](ie11-ieak/cabsigning-ins-file-setting.md)
-###[Use the ConnectionSettings .INS file to review the network connections for install](ie11-ieak/connectionsettings-ins-file-setting.md)
-###[Use the CustomBranding .INS file to specify the custom branding location](ie11-ieak/custombranding-ins-file-setting.md)
-###[Use the ExtRegInf .INS file to specify installation files and mode](ie11-ieak/extreginf-ins-file-setting.md)
-###[Use the FavoritesEx .INS file for your Favorites icon and URLs](ie11-ieak/favoritesex-ins-file-setting.md)
-###[Use the HideCustom .INS file to hide GUIDs](ie11-ieak/hidecustom-ins-file-setting.md)
-###[Use the ISP_Security .INS file to add your root certificate](ie11-ieak/isp-security-ins-file-setting.md)
-###[Use the Media .INS file to specify your install media](ie11-ieak/media-ins-file-setting.md)
-###[Use the Proxy .INS file to specify a proxy server](ie11-ieak/proxy-ins-file-setting.md)
-###[Use the Security Imports .INS file to import security info](ie11-ieak/security-imports-ins-file-setting.md)
-###[Use the URL .INS file to use an auto-configured proxy server](ie11-ieak/url-ins-file-setting.md)
+## [Using Internet Settings (.INS) files with IEAK 11](ie11-ieak/using-internet-settings-ins-files.md)
+### [Use the Branding .INS file to create custom branding and setup info](ie11-ieak/branding-ins-file-setting.md)
+### [Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar](ie11-ieak/browsertoolbars-ins-file-setting.md)
+### [Use the CabSigning .INS file to review the digital signatures for your apps](ie11-ieak/cabsigning-ins-file-setting.md)
+### [Use the ConnectionSettings .INS file to review the network connections for install](ie11-ieak/connectionsettings-ins-file-setting.md)
+### [Use the CustomBranding .INS file to specify the custom branding location](ie11-ieak/custombranding-ins-file-setting.md)
+### [Use the ExtRegInf .INS file to specify installation files and mode](ie11-ieak/extreginf-ins-file-setting.md)
+### [Use the FavoritesEx .INS file for your Favorites icon and URLs](ie11-ieak/favoritesex-ins-file-setting.md)
+### [Use the HideCustom .INS file to hide GUIDs](ie11-ieak/hidecustom-ins-file-setting.md)
+### [Use the ISP_Security .INS file to add your root certificate](ie11-ieak/isp-security-ins-file-setting.md)
+### [Use the Media .INS file to specify your install media](ie11-ieak/media-ins-file-setting.md)
+### [Use the Proxy .INS file to specify a proxy server](ie11-ieak/proxy-ins-file-setting.md)
+### [Use the Security Imports .INS file to import security info](ie11-ieak/security-imports-ins-file-setting.md)
+### [Use the URL .INS file to use an auto-configured proxy server](ie11-ieak/url-ins-file-setting.md)
-##[IExpress Wizard for Windows Server 2008 R2 with SP1](ie11-ieak/iexpress-wizard-for-win-server.md)
-###[IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md)
-###[Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
+## [IExpress Wizard for Windows Server 2008 R2 with SP1](ie11-ieak/iexpress-wizard-for-win-server.md)
+### [IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md)
+### [Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 153f4be5f1..934ad0e5f6 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -24,10 +24,11 @@
"globalMetadata": {
"breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
- "ms.author": "shortpatti",
- "author": "eross-msft",
+ "audience": "ITPro",
"ms.technology": "internet-explorer",
+ "ms.prod": "ie11",
"ms.topic": "article",
+ "manager": "laurawi",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index aaabccc9ae..12049fdcb9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -1,482 +1,483 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
-author: dansimp
-ms.prod: ie11
-ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Collect data using Enterprise Site Discovery
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-# Collect data using Enterprise Site Discovery
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7 with Service Pack 1 (SP1)
-
-Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
-
->**Upgrade Readiness and Windows upgrades**
->You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
-
-
-## Before you begin
-Before you start, you need to make sure you have the following:
-
-- Latest cumulative security update (for all supported versions of Internet Explorer):
-
- 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
-
- 
-
- 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
-
- 
-
- 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
-
-- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including:
-
- - Configuration-related PowerShell scripts
-
- - IETelemetry.mof file
-
- - Sample System Center 2012 report templates
-
- You must use System Center 2012 R2 Configuration Manager or later for these samples to work.
-
-Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts.
-
-## What data is collected?
-Data is collected on the configuration characteristics of IE and the sites it browses, as shown here.
-
-|Data point |IE11 |IE10 |IE9 |IE8 |Description |
-|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
-|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. |
-|Domain | X | X | X | X |Top-level domain of the browsed site. |
-|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. |
-|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. |
-|Document mode reason | X | X | | |The reason why a document mode was set by IE. |
-|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. |
-|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. |
-|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. |
-|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
-|Number of visits | X | X | X | X |Number of times a site has been visited. |
-|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. |
-
-
->**Important** By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
-
-### Understanding the returned reason codes
-The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection.
-
-#### DocMode reason
-The codes in this table can tell you what document mode was set by IE for a webpage. These codes only apply to Internet Explorer 10 and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.|
-|4 |Page is using an X-UA-compatible meta tag. |
-|5 |Page is using an X-UA-compatible HTTP header. |
-|6 |Page appears on an active **Compatibility View** list. |
-|7 |Page is using native XML parsing. |
-|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
-|9 |Page state is set by the browser mode and the page's DOCTYPE.|
-
-#### Browser state reason
-The codes in this table can tell you why the browser is in its current state. Also called “browser mode”. These codes only apply to Internet Explorer 10 and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. |
-|2 |Site appears on an active **Compatibility View** list, created in Group Policy. |
-|3 |Site appears on an active **Compatibility View** list, created by the user. |
-|4 |Page is using an X-UA-compatible tag. |
-|5 |Page state is set by the **Developer** toolbar. |
-|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. |
-|7 |Site appears on the Microsoft **Compatibility View (CV)** list. |
-|8 |Site appears on the **Quirks** list, created in Group Policy. |
-|11 |Site is using the default browser. |
-
-#### Zone
-The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings. These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|-1 |Internet Explorer is using an invalid zone. |
-|0 |Internet Explorer is using the Local machine zone. |
-|1 |Internet Explorer is using the Local intranet zone. |
-|2 |Internet Explorer is using the Trusted sites zone. |
-|3 |Internet Explorer is using the Internet zone. |
-|4 |Internet Explorer is using the Restricted sites zone. |
-
-## Where is the data stored and how do I collect it?
-The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend:
-
-- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer.
-
-- **XML file**. Any agent that works with XML can be used.
-
-## WMI Site Discovery suggestions
-We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company.
-
-On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:
250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB
-
->**Important** The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
-
-## Getting ready to use Enterprise Site Discovery
-Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options:
-
-- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
--OR-
-- Collect your hardware inventory using the MOF Editor with a .MOF import file.
--OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-
-### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
-You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
-
->**Important** You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
-
-**To set up Enterprise Site Discovery**
-
-- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
-
-### WMI only: Set up your firewall for WMI data
-If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
-
-**To set up your firewall**
-
-1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
-
-2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**.
-
-3. Restart your computer to start collecting your WMI data.
-
-## Use PowerShell to finish setting up Enterprise Site Discovery
-You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).
-
->**Important** The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
-
-- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
-
-- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
-
-**To set up data collection using a domain allow list**
-
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
-
- >**Important** Wildcards, like \*.microsoft.com, aren’t supported.
-
-**To set up data collection using a zone allow list**
-
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
-
- >**Important** Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
-
-## Use Group Policy to finish setting up Enterprise Site Discovery
-You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).
-
->**Note** All of the Group Policy settings can be used individually or as a group.
-
- **To set up Enterprise Site Discovery using Group Policy**
-
-- Open your Group Policy editor, and go to these new settings:
-
- |Setting name and location |Description |Options |
- |---------------------------|-------------|---------|
- |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |
**On.** Turns on WMI recording.
**Off.** Turns off WMI recording.
|
- |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
**XML file path.** Including this turns on XML recording.
**Blank.** Turns off XML recording.
|
- |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
0 – Restricted Sites zone 0 – Internet zone 0 – Trusted Sites zone 0 – Local Intranet zone 0 – Local Machine zone
**Example 1:** Include only the Local Intranet zone
Binary representation: *00010*, based on:
0 – Restricted Sites zone 0 – Internet zone 0 – Trusted Sites zone 1 – Local Intranet zone 0 – Local Machine zone
**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones
Binary representation: *10110*, based on:
1 – Restricted Sites zone 0 – Internet zone 1 – Trusted Sites zone 1 – Local Intranet zone 1 – Local Machine zone |
- |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:
microsoft.sharepoint.com outlook.com onedrive.com timecard.contoso.com LOBApp.contoso.com |
-
-### Combining WMI and XML Group Policy settings
-You can use both the WMI and XML settings individually or together:
-
-**To turn off Enterprise Site Discovery**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
Off
-
-
-
Turn on Site Discovery XML output
-
Blank
-
-
-
-**Turn on WMI recording only**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
On
-
-
-
Turn on Site Discovery XML output
-
Blank
-
-
-
-**To turn on XML recording only**
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
Off
-
-
-
Turn on Site Discovery XML output
-
XML file path
-
-
-
-To turn on both WMI and XML recording
-
-
-
Setting name
-
Option
-
-
-
Turn on Site Discovery WMI output
-
On
-
-
-
Turn on Site Discovery XML output
-
XML file path
-
-
-
-## Use Configuration Manager to collect your data
-After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
-
-- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
--OR-
-- Collect your hardware inventory using the MOF Editor with a .MOF import file.
--OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-
-### Collect your hardware inventory using the MOF Editor while connected to a client device
-You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
-
- **To collect your inventory**
-
-1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
-
- 
-
-2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
-
-3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
-
- 
-
-4. Select the check boxes next to the following classes, and then click **OK**:
-
- - IESystemInfo
-
- - IEURLInfo
-
- - IECountInfo
-
-5. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-### Collect your hardware inventory using the MOF Editor with a .MOF import file
-You can collect your hardware inventory using the MOF Editor and a .MOF import file.
-
- **To collect your inventory**
-
-1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
-
-2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**.
-
-3. Pick the inventory items to install, and then click **Import**.
-
-4. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
-
-**To collect your inventory**
-
-1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory.
-
-2. Add this text to the end of the file:
-
- ```
- [SMS_Report (TRUE),
- SMS_Group_Name ("IESystemInfo"),
- SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"),
- Namespace ("root\\\\cimv2\\\\IETelemetry") ]
- Class IESystemInfo: SMS_Class_Template
- {
- [SMS_Report (TRUE), Key ]
- String SystemKey;
- [SMS_Report (TRUE) ]
- String IEVer;
- };
-
- [SMS_Report (TRUE),
- SMS_Group_Name ("IEURLInfo"),
- SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"),
- Namespace ("root\\\\cimv2\\\\IETelemetry") ]
- Class IEURLInfo: SMS_Class_Template
- {
- [SMS_Report (TRUE), Key ]
- String URL;
- [SMS_Report (TRUE) ]
- String Domain;
- [SMS_Report (TRUE) ]
- UInt32 DocMode;
- [SMS_Report (TRUE) ]
- UInt32 DocModeReason;
- [SMS_Report (TRUE) ]
- UInt32 Zone;
- [SMS_Report (TRUE) ]
- UInt32 BrowserStateReason;
- [SMS_Report (TRUE) ]
- String ActiveXGUID[];
- [SMS_Report (TRUE) ]
- UInt32 CrashCount;
- [SMS_Report (TRUE) ]
- UInt32 HangCount;
- [SMS_Report (TRUE) ]
- UInt32 NavigationFailureCount;
- [SMS_Report (TRUE) ]
- UInt32 NumberOfVisits;
- [SMS_Report (TRUE) ]
- UInt32 MostRecentNavigationFailure;
- };
-
- [SMS_Report (TRUE),
- SMS_Group_Name ("IECountInfo"),
- SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"),
- Namespace ("root\\\\cimv2\\\\IETelemetry") ]
- Class IECountInfo: SMS_Class_Template
- {
- [SMS_Report (TRUE), Key ]
- String CountKey;
- [SMS_Report (TRUE) ]
- UInt32 CrashCount;
- [SMS_Report (TRUE) ]
- UInt32 HangCount;
- [SMS_Report (TRUE) ]
- UInt32 NavigationFailureCount;
- };
- ```
-
-3. Save the file and close it to the same location.
- Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-## View the sample reports with your collected data
-The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data.
-
-### SCCM Report Sample – ActiveX.rdl
-Gives you a list of all of the ActiveX-related sites visited by the client computer.
-
-
-
-### SCCM Report Sample – Site Discovery.rdl
-Gives you a list of all of the sites visited by the client computer.
-
-
-
-## View the collected XML data
-After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
-
-``` xml
-
-
- [dword]
- [dword]
- [dword]
-
-
- [string]
-
- [guid]
-
- [dword]
- [dword]
- [dword]
- [dword]
- [dword]
- [dword]
- [dword]
- [dword]
- [string]
- [dword]
-
- …
- …
-
-```
-You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list.
-
-**To add your XML data to your Enterprise Mode site list**
-
-1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
-
- 
-
-2. Go to your XML file to add the included sites to the tool, and then click **Open**. Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
-
-3. Click **OK** to close the **Bulk add sites to the list** menu.
-
-## Turn off data collection on your client devices
-After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off.
-
-**To stop collecting data, using PowerShell**
-
-- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`.
-
- >**Note** Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer.
-
-
-**To stop collecting data, using Group Policy**
-
-1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**.
-
-2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location.
-
-### Delete already stored data from client computers
-You can completely remove the data stored on your employee’s computers.
-
-**To delete all existing data**
-
-- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands:
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo`
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo`
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo`
-
- - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'`
-
-## Related topics
-* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562)
-* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
+author: dansimp
+ms.prod: ie11
+ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Collect data using Enterprise Site Discovery
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Collect data using Enterprise Site Discovery
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7 with Service Pack 1 (SP1)
+
+Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
+
+>**Upgrade Readiness and Windows upgrades**
+>You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+
+
+## Before you begin
+Before you start, you need to make sure you have the following:
+
+- Latest cumulative security update (for all supported versions of Internet Explorer):
+
+ 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
+
+ 
+
+ 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
+
+ 
+
+ 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
+
+- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including:
+
+ - Configuration-related PowerShell scripts
+
+ - IETelemetry.mof file
+
+ - Sample System Center 2012 report templates
+
+ You must use System Center 2012 R2 Configuration Manager or later for these samples to work.
+
+Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts.
+
+## What data is collected?
+Data is collected on the configuration characteristics of IE and the sites it browses, as shown here.
+
+|Data point |IE11 |IE10 |IE9 |IE8 |Description |
+|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
+|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. |
+|Domain | X | X | X | X |Top-level domain of the browsed site. |
+|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. |
+|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. |
+|Document mode reason | X | X | | |The reason why a document mode was set by IE. |
+|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. |
+|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. |
+|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. |
+|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
+|Number of visits | X | X | X | X |Number of times a site has been visited. |
+|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. |
+
+
+>**Important** By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
+
+### Understanding the returned reason codes
+The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection.
+
+#### DocMode reason
+The codes in this table can tell you what document mode was set by IE for a webpage. These codes only apply to Internet Explorer 10 and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.|
+|4 |Page is using an X-UA-compatible meta tag. |
+|5 |Page is using an X-UA-compatible HTTP header. |
+|6 |Page appears on an active **Compatibility View** list. |
+|7 |Page is using native XML parsing. |
+|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
+|9 |Page state is set by the browser mode and the page's DOCTYPE.|
+
+#### Browser state reason
+The codes in this table can tell you why the browser is in its current state. Also called “browser mode”. These codes only apply to Internet Explorer 10 and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. |
+|2 |Site appears on an active **Compatibility View** list, created in Group Policy. |
+|3 |Site appears on an active **Compatibility View** list, created by the user. |
+|4 |Page is using an X-UA-compatible tag. |
+|5 |Page state is set by the **Developer** toolbar. |
+|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. |
+|7 |Site appears on the Microsoft **Compatibility View (CV)** list. |
+|8 |Site appears on the **Quirks** list, created in Group Policy. |
+|11 |Site is using the default browser. |
+
+#### Zone
+The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings. These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|-1 |Internet Explorer is using an invalid zone. |
+|0 |Internet Explorer is using the Local machine zone. |
+|1 |Internet Explorer is using the Local intranet zone. |
+|2 |Internet Explorer is using the Trusted sites zone. |
+|3 |Internet Explorer is using the Internet zone. |
+|4 |Internet Explorer is using the Restricted sites zone. |
+
+## Where is the data stored and how do I collect it?
+The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend:
+
+- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer.
+
+- **XML file**. Any agent that works with XML can be used.
+
+## WMI Site Discovery suggestions
+We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company.
+
+On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:
250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB
+
+>**Important** The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
+
+## Getting ready to use Enterprise Site Discovery
+Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options:
+
+- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
+-OR-
+- Collect your hardware inventory using the MOF Editor with a .MOF import file.
+-OR-
+- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+
+### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
+You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
+
+>**Important** You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
+
+**To set up Enterprise Site Discovery**
+
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
+
+### WMI only: Set up your firewall for WMI data
+If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
+
+**To set up your firewall**
+
+1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
+
+2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**.
+
+3. Restart your computer to start collecting your WMI data.
+
+## Use PowerShell to finish setting up Enterprise Site Discovery
+You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).
+
+>**Important** The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
+
+- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
+
+- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
+
+**To set up data collection using a domain allow list**
+
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
+
+ >**Important** Wildcards, like \*.microsoft.com, aren’t supported.
+
+**To set up data collection using a zone allow list**
+
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
+
+ >**Important** Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
+
+## Use Group Policy to finish setting up Enterprise Site Discovery
+You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).
+
+>**Note** All of the Group Policy settings can be used individually or as a group.
+
+ **To set up Enterprise Site Discovery using Group Policy**
+
+- Open your Group Policy editor, and go to these new settings:
+
+ |Setting name and location |Description |Options |
+ |---------------------------|-------------|---------|
+ |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |
**On.** Turns on WMI recording.
**Off.** Turns off WMI recording.
|
+ |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
**XML file path.** Including this turns on XML recording.
**Blank.** Turns off XML recording.
|
+ |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
0 – Restricted Sites zone 0 – Internet zone 0 – Trusted Sites zone 0 – Local Intranet zone 0 – Local Machine zone
**Example 1:** Include only the Local Intranet zone
Binary representation: *00010*, based on:
0 – Restricted Sites zone 0 – Internet zone 0 – Trusted Sites zone 1 – Local Intranet zone 0 – Local Machine zone
**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones
Binary representation: *10110*, based on:
1 – Restricted Sites zone 0 – Internet zone 1 – Trusted Sites zone 1 – Local Intranet zone 1 – Local Machine zone |
+ |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:
microsoft.sharepoint.com outlook.com onedrive.com timecard.contoso.com LOBApp.contoso.com |
+
+### Combining WMI and XML Group Policy settings
+You can use both the WMI and XML settings individually or together:
+
+**To turn off Enterprise Site Discovery**
+
+
+
Setting name
+
Option
+
+
+
Turn on Site Discovery WMI output
+
Off
+
+
+
Turn on Site Discovery XML output
+
Blank
+
+
+
+**Turn on WMI recording only**
+
+
+
Setting name
+
Option
+
+
+
Turn on Site Discovery WMI output
+
On
+
+
+
Turn on Site Discovery XML output
+
Blank
+
+
+
+**To turn on XML recording only**
+
+
+
Setting name
+
Option
+
+
+
Turn on Site Discovery WMI output
+
Off
+
+
+
Turn on Site Discovery XML output
+
XML file path
+
+
+
+To turn on both WMI and XML recording
+
+
+
Setting name
+
Option
+
+
+
Turn on Site Discovery WMI output
+
On
+
+
+
Turn on Site Discovery XML output
+
XML file path
+
+
+
+## Use Configuration Manager to collect your data
+After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
+
+- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
+-OR-
+- Collect your hardware inventory using the MOF Editor with a .MOF import file.
+-OR-
+- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+
+### Collect your hardware inventory using the MOF Editor while connected to a client device
+You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
+
+ **To collect your inventory**
+
+1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
+
+ 
+
+2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
+
+3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
+
+ 
+
+4. Select the check boxes next to the following classes, and then click **OK**:
+
+ - IESystemInfo
+
+ - IEURLInfo
+
+ - IECountInfo
+
+5. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports.
+
+### Collect your hardware inventory using the MOF Editor with a .MOF import file
+You can collect your hardware inventory using the MOF Editor and a .MOF import file.
+
+ **To collect your inventory**
+
+1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
+
+2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**.
+
+3. Pick the inventory items to install, and then click **Import**.
+
+4. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports.
+
+### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
+
+**To collect your inventory**
+
+1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory.
+
+2. Add this text to the end of the file:
+
+ ```
+ [SMS_Report (TRUE),
+ SMS_Group_Name ("IESystemInfo"),
+ SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"),
+ Namespace ("root\\\\cimv2\\\\IETelemetry") ]
+ Class IESystemInfo: SMS_Class_Template
+ {
+ [SMS_Report (TRUE), Key ]
+ String SystemKey;
+ [SMS_Report (TRUE) ]
+ String IEVer;
+ };
+
+ [SMS_Report (TRUE),
+ SMS_Group_Name ("IEURLInfo"),
+ SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"),
+ Namespace ("root\\\\cimv2\\\\IETelemetry") ]
+ Class IEURLInfo: SMS_Class_Template
+ {
+ [SMS_Report (TRUE), Key ]
+ String URL;
+ [SMS_Report (TRUE) ]
+ String Domain;
+ [SMS_Report (TRUE) ]
+ UInt32 DocMode;
+ [SMS_Report (TRUE) ]
+ UInt32 DocModeReason;
+ [SMS_Report (TRUE) ]
+ UInt32 Zone;
+ [SMS_Report (TRUE) ]
+ UInt32 BrowserStateReason;
+ [SMS_Report (TRUE) ]
+ String ActiveXGUID[];
+ [SMS_Report (TRUE) ]
+ UInt32 CrashCount;
+ [SMS_Report (TRUE) ]
+ UInt32 HangCount;
+ [SMS_Report (TRUE) ]
+ UInt32 NavigationFailureCount;
+ [SMS_Report (TRUE) ]
+ UInt32 NumberOfVisits;
+ [SMS_Report (TRUE) ]
+ UInt32 MostRecentNavigationFailure;
+ };
+
+ [SMS_Report (TRUE),
+ SMS_Group_Name ("IECountInfo"),
+ SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"),
+ Namespace ("root\\\\cimv2\\\\IETelemetry") ]
+ Class IECountInfo: SMS_Class_Template
+ {
+ [SMS_Report (TRUE), Key ]
+ String CountKey;
+ [SMS_Report (TRUE) ]
+ UInt32 CrashCount;
+ [SMS_Report (TRUE) ]
+ UInt32 HangCount;
+ [SMS_Report (TRUE) ]
+ UInt32 NavigationFailureCount;
+ };
+ ```
+
+3. Save the file and close it to the same location.
+ Your environment is now ready to collect your hardware inventory and review the sample reports.
+
+## View the sample reports with your collected data
+The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data.
+
+### SCCM Report Sample – ActiveX.rdl
+Gives you a list of all of the ActiveX-related sites visited by the client computer.
+
+
+
+### SCCM Report Sample – Site Discovery.rdl
+Gives you a list of all of the sites visited by the client computer.
+
+
+
+## View the collected XML data
+After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
+
+``` xml
+
+
+ [dword]
+ [dword]
+ [dword]
+
+
+ [string]
+
+ [guid]
+
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [string]
+ [dword]
+
+ …
+ …
+
+```
+You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list.
+
+**To add your XML data to your Enterprise Mode site list**
+
+1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
+
+ 
+
+2. Go to your XML file to add the included sites to the tool, and then click **Open**. Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
+
+3. Click **OK** to close the **Bulk add sites to the list** menu.
+
+## Turn off data collection on your client devices
+After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off.
+
+**To stop collecting data, using PowerShell**
+
+- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`.
+
+ >**Note** Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer.
+
+
+**To stop collecting data, using Group Policy**
+
+1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**.
+
+2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location.
+
+### Delete already stored data from client computers
+You can completely remove the data stored on your employee’s computers.
+
+**To delete all existing data**
+
+- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands:
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo`
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo`
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo`
+
+ - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'`
+
+## Related topics
+* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562)
+* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index f561f79cfd..17e4e860cf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -1,301 +1,302 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10.
-author: lomayor
-ms.prod: ie11
-ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 12/04/2017
----
-
-
-# Enterprise Mode schema v.2 guidance
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-
-Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
-
-**Important**
-If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-## Enterprise Mode schema v.2 updates
-Because of the schema changes, you can't combine the old version (v.1) with the new version (v.2) of the schema. If you look at your XML file, you can tell which version you're using by:
-
-- <rules>. If your schema root node includes this key, you're using the v.1 version of the schema.
-
-- <site-list>. If your schema root node includes this key, you're using the v.2 version of the schema.
-
-You can continue to use the v.1 version of the schema on Windows 10, but you won't have the benefits of the new v.2 version schema updates and new features. Additionally, saving the v.1 version of the schema in the new Enterprise Mode Site List Manager (schema v.2) automatically updates the file to use the v.2 version of the schema.
-
-### Enterprise Mode v.2 schema example
-The following is an example of the v.2 version of the Enterprise Mode schema.
-
-**Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both https://contoso.com and https://contoso.com.
-
-``` xml
-
-
-
- EnterpriseSitelistManager
- 10240
- 20150728.135021
-
-
-
- IE8Enterprise
- MSEdge
-
-
- default
- IE11
-
-
- IE7Enterprise
- IE11
-
-
- default
- IE11
-
-
- default
- none
-
- IE8Enterprise"
-
-
- IE7
- IE11
-
-
- IE8Enterprise
- IE11
-
-
- IE7
- IE11
-
-
-```
-
-### Updated schema elements
-This table includes the elements used by the v.2 version of the Enterprise Mode schema.
-
-
-
-
-
Element
-
Description
-
Supported browser
-
-
-
-
-
<site-list>
-
A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
-
A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
-
IE8Enterprise. Loads the site in IE8 Enterprise Mode. This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
-
IE7Enterprise. Loads the site in IE7 Enterprise Mode. This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
Important This tag replaces the combination of the "forceCompatView"="true" attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
-
IE[x]. Where [x] is the document mode number into which the site loads.
-
Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
-
-
Internet Explorer 11
-
-
-
<open-in>
-
A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
-
IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
-
MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
-
None or not specified. Opens in whatever browser the employee chooses.
-
-
Internet Explorer 11 and Microsoft Edge
-
-
-
-### Updated schema attributes
-The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema.
-
-
-
-
-
Attribute
-
Description
-
Supported browser
-
-
-
-
-
allow-redirect
-
A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
-
-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.
-
Internet Explorer 11 and Microsoft Edge
-
-
-
version
-
Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.
-
Internet Explorer 11 and Microsoft Edge
-
-
-
url
-
Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
- Note
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.
-
-
-While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
-
-**Important**
-Saving your v.1 version of the file using the new Enterprise Mode Site List Manager (schema v.2) automatically updates the XML to the new v.2 version of the schema.
-
-### What not to include in your schema
-We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways:
-
-- Don’t use protocols. For example, https://, https://, or custom protocols. They break parsing.
-- Don’t use wildcards.
-- Don’t use query strings, ampersands break parsing.
-
-## Related topics
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10.
+author: lomayor
+ms.prod: ie11
+ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: lomayor
+title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 12/04/2017
+---
+
+
+# Enterprise Mode schema v.2 guidance
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+
+Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
+
+**Important**
+If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+## Enterprise Mode schema v.2 updates
+Because of the schema changes, you can't combine the old version (v.1) with the new version (v.2) of the schema. If you look at your XML file, you can tell which version you're using by:
+
+- <rules>. If your schema root node includes this key, you're using the v.1 version of the schema.
+
+- <site-list>. If your schema root node includes this key, you're using the v.2 version of the schema.
+
+You can continue to use the v.1 version of the schema on Windows 10, but you won't have the benefits of the new v.2 version schema updates and new features. Additionally, saving the v.1 version of the schema in the new Enterprise Mode Site List Manager (schema v.2) automatically updates the file to use the v.2 version of the schema.
+
+### Enterprise Mode v.2 schema example
+The following is an example of the v.2 version of the Enterprise Mode schema.
+
+**Important**
+Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both https://contoso.com and https://contoso.com.
+
+``` xml
+
+
+
+ EnterpriseSitelistManager
+ 10240
+ 20150728.135021
+
+
+
+ IE8Enterprise
+ MSEdge
+
+
+ default
+ IE11
+
+
+ IE7Enterprise
+ IE11
+
+
+ default
+ IE11
+
+
+ default
+ none
+
+ IE8Enterprise"
+
+
+ IE7
+ IE11
+
+
+ IE8Enterprise
+ IE11
+
+
+ IE7
+ IE11
+
+
+```
+
+### Updated schema elements
+This table includes the elements used by the v.2 version of the Enterprise Mode schema.
+
+
+
+
+
Element
+
Description
+
Supported browser
+
+
+
+
+
<site-list>
+
A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
+
A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
+
IE8Enterprise. Loads the site in IE8 Enterprise Mode. This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
+
IE7Enterprise. Loads the site in IE7 Enterprise Mode. This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
Important This tag replaces the combination of the "forceCompatView"="true" attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
+
IE[x]. Where [x] is the document mode number into which the site loads.
+
Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
+
+
Internet Explorer 11
+
+
+
<open-in>
+
A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
+
IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
+
MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
+
None or not specified. Opens in whatever browser the employee chooses.
+
+
Internet Explorer 11 and Microsoft Edge
+
+
+
+### Updated schema attributes
+The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema.
+
+
+
+
+
Attribute
+
Description
+
Supported browser
+
+
+
+
+
allow-redirect
+
A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
+
+In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.
+
Internet Explorer 11 and Microsoft Edge
+
+
+
version
+
Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.
+
Internet Explorer 11 and Microsoft Edge
+
+
+
url
+
Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
+ Note
+Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.
+
+
+While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
+
+**Important**
+Saving your v.1 version of the file using the new Enterprise Mode Site List Manager (schema v.2) automatically updates the XML to the new v.2 version of the schema.
+
+### What not to include in your schema
+We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways:
+
+- Don’t use protocols. For example, https://, https://, or custom protocols. They break parsing.
+- Don’t use wildcards.
+- Don’t use query strings, ampersands break parsing.
+
+## Related topics
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index e93450be88..25226f2ad0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -1,54 +1,54 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
-author: lomayor
-ms.prod: ie11
-ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Install Internet Explorer 11 (IE11) using Microsoft Intune
-Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805).
-
-## Adding and deploying the IE11 package
-You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune.
-
- **To add the IE11 package**
-
-1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher.
-
-2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi).
-
-For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
-
- **To automatically deploy and install the IE11 package**
-
-1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard.
-
-2. Deploy the package to any of your employee computers that are managed by Microsoft Intune.
-
-3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard.
-
-For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
-
- **To let your employees install the IE11 package**
-
-1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups.
-
-2. Any employee in the assigned group can now install the package.
-
-For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808)
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
+author: lomayor
+ms.prod: ie11
+ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616
+ms.reviewer:
+manager: dansimp
+ms.author: lomayor
+title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Install Internet Explorer 11 (IE11) using Microsoft Intune
+Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805).
+
+## Adding and deploying the IE11 package
+You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune.
+
+ **To add the IE11 package**
+
+1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher.
+
+2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi).
+
+For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
+
+ **To automatically deploy and install the IE11 package**
+
+1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard.
+
+2. Deploy the package to any of your employee computers that are managed by Microsoft Intune.
+
+3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard.
+
+For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
+
+ **To let your employees install the IE11 package**
+
+1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups.
+
+2. Any employee in the assigned group can now install the package.
+
+For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808)
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index c1f405ec66..d96bb1744c 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -1,51 +1,52 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section.
-author: lomayor
-ms.prod: ie111
-ms.assetid: d6bd71ba-5df3-4b8c-8bb5-dcbc50fd974e
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Use the Browsing Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Browsing Options page in the IEAK 11 Wizard
-The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you decide how you want to manage items in the **Favorites, Favorites Bar, and Feeds** section, including the Microsoft-provided default items.
-
-The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page.
-
-**To use the Browsing Options page**
-
-1. Decide how you want to manage links that are already installed on your employee’s computer:
-
- - **Delete all existing items under Favorites, Favorites Bar and Feeds.** Removes all of the links, Web Slices, feeds, and Accelerators on the computer. This includes links and favorites added by you or the employee. Because this removes everything, we recommend that you use this option with caution.
-
- - **Only delete the items created by the administrator.** Removes only the items that you added for your employees on the **Favorites, Favorites Bar and Feeds** page.
-
- - **Don’t delete any items.** Doesn’t remove anything. Links Web Slices, feeds, and Accelerators are added to your employee computers at the top of the list, in the order you picked on the **Favorites, Favorites Bar and Feeds** page.
-
-2. Decide if you don’t want to add the Microsoft-default items:
-
- - **Favorites.** Checking this box won’t add the Microsoft-defined links.
-
- - **Web Slices and Links.** Checking this box won’t add the Microsoft-defined Web Slices or links.
-
- - **Feeds.** Checking this box won’t add the Microsoft-defined RSS feeds.
-
- - **Accelerators.** Checking this box won’t add the Microsoft-defined Accelerators.
-
-3. Click **Next** to go to the [First Run Wizard and Welcome Page Options](first-run-and-welcome-page-ieak11-wizard.md) page or **Back** to go to the [Favorites, Favorites Bar, and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section.
+author: lomayor
+ms.prod: ie11
+ms.assetid: d6bd71ba-5df3-4b8c-8bb5-dcbc50fd974e
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: lomayor
+title: Use the Browsing Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Browsing Options page in the IEAK 11 Wizard
+The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you decide how you want to manage items in the **Favorites, Favorites Bar, and Feeds** section, including the Microsoft-provided default items.
+
+The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page.
+
+**To use the Browsing Options page**
+
+1. Decide how you want to manage links that are already installed on your employee’s computer:
+
+ - **Delete all existing items under Favorites, Favorites Bar and Feeds.** Removes all of the links, Web Slices, feeds, and Accelerators on the computer. This includes links and favorites added by you or the employee. Because this removes everything, we recommend that you use this option with caution.
+
+ - **Only delete the items created by the administrator.** Removes only the items that you added for your employees on the **Favorites, Favorites Bar and Feeds** page.
+
+ - **Don’t delete any items.** Doesn’t remove anything. Links Web Slices, feeds, and Accelerators are added to your employee computers at the top of the list, in the order you picked on the **Favorites, Favorites Bar and Feeds** page.
+
+2. Decide if you don’t want to add the Microsoft-default items:
+
+ - **Favorites.** Checking this box won’t add the Microsoft-defined links.
+
+ - **Web Slices and Links.** Checking this box won’t add the Microsoft-defined Web Slices or links.
+
+ - **Feeds.** Checking this box won’t add the Microsoft-defined RSS feeds.
+
+ - **Accelerators.** Checking this box won’t add the Microsoft-defined Accelerators.
+
+3. Click **Next** to go to the [First Run Wizard and Welcome Page Options](first-run-and-welcome-page-ieak11-wizard.md) page or **Back** to go to the [Favorites, Favorites Bar, and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index 6cc535e14f..7a6e3d009f 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -1,106 +1,107 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: Learn about the version of the IEAK 11 you should run, based on your license agreement.
-author: lomayor
-ms.author: lomayor
-ms.prod: ie11, ieak11
-ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15
-ms.reviewer:
-audience: itpro
manager: dansimp
-title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/23/2018
----
-
-
-# Determine the licensing version and features to use in IEAK 11
-In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
-
-During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
-
-- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
- >[!IMPORTANT]
- >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
-
-- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
-
-## Available features by version
-
-| Feature | Internal | External |
-|-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|
-| Welcome screen |  |  |
-| File locations |  |  |
-| Platform selection |  |  |
-| Language selection |  |  |
-| Package type selection |  |  |
-| Feature selection |  |  |
-| Automatic Version Synchronization (AVS) |  |  |
-| Custom components |  |  |
-| Internal install |  |  |
-| User experience |  |  |
-| Browser user interface |  |  |
-| Search providers |  |  |
-| Important URLs – Home page and support |  |  |
-| Accelerators |  |  |
-| Favorites, Favorites bar, and feeds |  |  |
-| Browsing options |  |  |
-| First Run wizard and Welcome page options |  |  |
-| Connection manager |  |  |
-| Connection settings |  |  |
-| Automatic configuration |  |  |
-| Proxy settings |  |  |
-| Security and privacy settings |  |  |
-| Add a root certificate |  |  |
-| Programs |  |  |
-| Additional settings |  |  |
-| Wizard complete |  |  |
-
----
-
-
-## Customization guidelines
-
-Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-
-- **External Distribution**
- This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers).
-
-- **Internal Distribution**
- This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet.
-
-The table below identifies which customizations you may or may not perform based on the mode you selected.
-
-| **Feature Name** | **External Distribution** | **Internal Distribution** |
-|---------------------------------|:--------------------:|:-------------------:|
-| **Custom Components** | Yes | Yes |
-| **Title Bar** | Yes | Yes |
-| **Favorites** | One folder, containing any number of links. | Any number of folders/links. |
-| **Search Provider URLs** | Yes | Yes |
-| **Search Guide URL** | No | Yes |
-| **Online Support URL** | Yes | Yes |
-| **Web Slice** | Suggested maximum five Web Slices. | Any number of Web Slices. |
-| **Accelerator** | Search provider Accelerator must be the same as the search provider set for the Search Toolbox. We recommend that Any number of Accelerators/Accelerator Categories. Feature Name External Internal Accelerator category not exceed seven total categories, and each Accelerator category must be unique. We recommend each Accelerator category not have more than two Accelerators. The Accelerator display name should follow the syntax of verb + noun, such as "Map with Bing." | Any number of Accelerators/Accelerator Categories. |
-| **Homepage URLs** | Can add a maximum of three. | Unlimited. |
-| **First Run Wizard and Welcome Page Options** | Cannot remove Internet Explorer 11 First Run wizard. Can customize **Welcome** page. | Customizable. |
-| **RSS Feeds** | One folder, containing any number of links. | Any number of folders/links. |
-| **Browsing Options** | No | Yes |
-| **Security and Privacy Settings** | No | Can add any number of sites. |
-| **Corporate Options** (Latest Updates, Default Browser, Uninstall Info, Additional Settings) | No | Yes |
-| **User Experience** (Setup/Restart) | No | Yes |
-| **User Agent String** | Yes | Yes |
-| **Compatibility View** | Yes | Yes |
-| **Connection Settings and Manage** | Yes | Yes |
-
-
-Support for some of the Internet Explorer settings on the wizard pages varies depending on your target operating system. For more information, see [Internet Explorer Customization Wizard 11 options](https://docs.microsoft.com/internet-explorer/ie11-ieak/ieak11-wizard-custom-options).
-
-## Distribution guidelines
-
-Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-
-- **External Distribution**
- You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy).
-
-- **Internal Distribution - corporate intranet**
- The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: plan
+description: Learn about the version of the IEAK 11 you should run, based on your license agreement.
+author: lomayor
+ms.author: lomayor
+ms.prod: ie11
+ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15
+ms.reviewer:
+audience: itpro
+manager: dansimp
+title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 10/23/2018
+---
+
+
+# Determine the licensing version and features to use in IEAK 11
+In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
+
+During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
+
+- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
+ >[!IMPORTANT]
+ >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
+
+- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
+
+## Available features by version
+
+| Feature | Internal | External |
+|-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|
+| Welcome screen |  |  |
+| File locations |  |  |
+| Platform selection |  |  |
+| Language selection |  |  |
+| Package type selection |  |  |
+| Feature selection |  |  |
+| Automatic Version Synchronization (AVS) |  |  |
+| Custom components |  |  |
+| Internal install |  |  |
+| User experience |  |  |
+| Browser user interface |  |  |
+| Search providers |  |  |
+| Important URLs – Home page and support |  |  |
+| Accelerators |  |  |
+| Favorites, Favorites bar, and feeds |  |  |
+| Browsing options |  |  |
+| First Run wizard and Welcome page options |  |  |
+| Connection manager |  |  |
+| Connection settings |  |  |
+| Automatic configuration |  |  |
+| Proxy settings |  |  |
+| Security and privacy settings |  |  |
+| Add a root certificate |  |  |
+| Programs |  |  |
+| Additional settings |  |  |
+| Wizard complete |  |  |
+
+---
+
+
+## Customization guidelines
+
+Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
+
+- **External Distribution**
+ This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers).
+
+- **Internal Distribution**
+ This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet.
+
+The table below identifies which customizations you may or may not perform based on the mode you selected.
+
+| **Feature Name** | **External Distribution** | **Internal Distribution** |
+|---------------------------------|:--------------------:|:-------------------:|
+| **Custom Components** | Yes | Yes |
+| **Title Bar** | Yes | Yes |
+| **Favorites** | One folder, containing any number of links. | Any number of folders/links. |
+| **Search Provider URLs** | Yes | Yes |
+| **Search Guide URL** | No | Yes |
+| **Online Support URL** | Yes | Yes |
+| **Web Slice** | Suggested maximum five Web Slices. | Any number of Web Slices. |
+| **Accelerator** | Search provider Accelerator must be the same as the search provider set for the Search Toolbox. We recommend that Any number of Accelerators/Accelerator Categories. Feature Name External Internal Accelerator category not exceed seven total categories, and each Accelerator category must be unique. We recommend each Accelerator category not have more than two Accelerators. The Accelerator display name should follow the syntax of verb + noun, such as "Map with Bing." | Any number of Accelerators/Accelerator Categories. |
+| **Homepage URLs** | Can add a maximum of three. | Unlimited. |
+| **First Run Wizard and Welcome Page Options** | Cannot remove Internet Explorer 11 First Run wizard. Can customize **Welcome** page. | Customizable. |
+| **RSS Feeds** | One folder, containing any number of links. | Any number of folders/links. |
+| **Browsing Options** | No | Yes |
+| **Security and Privacy Settings** | No | Can add any number of sites. |
+| **Corporate Options** (Latest Updates, Default Browser, Uninstall Info, Additional Settings) | No | Yes |
+| **User Experience** (Setup/Restart) | No | Yes |
+| **User Agent String** | Yes | Yes |
+| **Compatibility View** | Yes | Yes |
+| **Connection Settings and Manage** | Yes | Yes |
+
+
+Support for some of the Internet Explorer settings on the wizard pages varies depending on your target operating system. For more information, see [Internet Explorer Customization Wizard 11 options](https://docs.microsoft.com/internet-explorer/ie11-ieak/ieak11-wizard-custom-options).
+
+## Distribution guidelines
+
+Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
+
+- **External Distribution**
+ You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy).
+
+- **Internal Distribution - corporate intranet**
+ The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index efbae636fc..a3c0045275 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -1,35 +1,35 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package.
-author: lomayor
-ms.prod: ie11
-ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Platform Selection page in the IEAK 11 Wizard
-The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
-
-**To use the Platform Selection page**
-
-1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.
-You must create individual packages for each supported operating system.
-**Note** To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md).
-
-2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package.
+author: lomayor
+ms.prod: ie11
+ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218
+ms.reviewer:
+manager: dansimp
+ms.author: lomayor
+title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Platform Selection page in the IEAK 11 Wizard
+The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
+
+**To use the Platform Selection page**
+
+1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.
+You must create individual packages for each supported operating system.
+**Note** To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md).
+
+2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index a4d2c384bb..8b0ff1ece4 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -1,39 +1,39 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services.
-author: lomayor
-ms.prod: ie11
-ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Programs page in the IEAK 11 Wizard
-The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
-
-**Important** The customizations you make on this page only apply to Internet Explorer for the desktop.
-
-**To use the Programs page**
-
-1. Determine whether you want to customize your connection settings. You can pick:
-
- - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.
-OR-
-
- - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings.
**Note** If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes.
-
-2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services.
+author: lomayor
+ms.prod: ie11
+ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc
+ms.reviewer:
+manager: dansimp
+ms.author: lomayor
+title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Programs page in the IEAK 11 Wizard
+The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
+
+**Important** The customizations you make on this page only apply to Internet Explorer for the desktop.
+
+**To use the Programs page**
+
+1. Determine whether you want to customize your connection settings. You can pick:
+
+ - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.
-OR-
+
+ - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings.
**Note** If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes.
+
+2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md
index c2dbda0086..ad64db8744 100644
--- a/browsers/internet-explorer/index.md
+++ b/browsers/internet-explorer/index.md
@@ -2,7 +2,7 @@
ms.mktglfcycl: deploy
description: The landing page for IE11 that lets you access the documentation.
author: shortpatti
-ms.prod: IE11
+ms.prod: ie11
title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
ms.sitesec: library
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 36cbb30a09..fe85d293be 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,36 +1,45 @@
-# [Microsoft HoloLens](index.md)
-# [What's new in HoloLens](hololens-whats-new.md)
-# [Set up HoloLens](hololens-setup.md)
+# [HoloLens overview](index.md)
+# [Hololens status](hololens-status.md)
-# Deploy HoloLens in a commercial environment
+# Get started with HoloLens (gen 1)
+## [Start your HoloLens (1st gen) for the first time](hololens-start.md)
+## [Install localized version of HoloLens](hololens-install-localized.md)
+
+# Get started with HoloLens in commercial environments
## [Overview and deployment planning](hololens-requirements.md)
+## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
+## [Set up ring based updates for HoloLens](hololens-updates.md)
+## [Manage custom enterprise apps](hololens-install-apps.md)
+## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
-# Device Management
-## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
-## [Install localized version of HoloLens](hololens-install-localized.md)
-## [Manage updates to HoloLens](hololens-updates.md)
-## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md)
-## [Use the HoloLens Clicker](hololens-clicker.md)
-## [Restart, reset, or recover the HoloLens](hololens-restart-recover.md)
-## [Restart or recover the HoloLens clicker](hololens-clicker-restart-recover.md)
+# Navigating Windows Holographic
+## [Windows Mixed Reality home](holographic-home.md)
+## [Voice and Cortana](hololens-cortana.md)
+## [Find and save files](hololens-find-and-save-files.md)
+## [Create, share, and view photos and video](holographic-photos-and-video.md)
+
+# Accessories and connectivity
+## [Connect to Bluetooth and USB-C devices](hololens-connect-devices.md)
+## [Restart or recover the HoloLens (1st gen) clicker](hololens-clicker-restart-recover.md)
+## [Connect to a network](hololens-network.md)
+## [Use HoloLens offline](hololens-offline.md)
# Application Management
-## [Install apps on HoloLens](hololens-install-apps.md)
## [Share HoloLens with multiple people](hololens-multiple-users.md)
-## [Cortana on HoloLens](hololens-cortana.md)
## [Get apps for HoloLens](hololens-get-apps.md)
## [Use apps on HoloLens](hololens-use-apps.md)
## [Use HoloLens offline](hololens-offline.md)
## [Spaces on HoloLens](hololens-spaces-on-hololens.md)
+## [How HoloLens stores data for spaces](hololens-spaces.md)
+
+# Recovery and troubleshooting
+## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md)
+## [Restart, reset, or recover the HoloLens](hololens-restart-recover.md)
# User/Access Management
## [Set up single application access](hololens-kiosk.md)
-## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
-## [How HoloLens stores data for spaces](hololens-spaces.md)
-## [Find and save files](hololens-find-and-save-files.md)
# [Insider preview for Microsoft HoloLens](hololens-insider.md)
# [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
-
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index b886719944..a228d800c0 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -50,11 +50,6 @@ New or changed topic | Description
--- | ---
Insider preview for Microsoft HoloLens | New (topic retired on release of Windows 10, version 1809)
-## June 2018
-
-New or changed topic | Description
---- | ---
-[HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md#pin) | Added instructions for creating a sign-in PIN.
## May 2018
@@ -86,12 +81,6 @@ New or changed topic | Description
--- | ---
[Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | New
-## May 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [Microsoft HoloLens in the enterprise: requirements](hololens-requirements.md) | Changed title to **Microsoft HoloLens in the enterprise: requirements and FAQ**, added questions and answers in new [FAQ section](hololens-requirements.md#faq-for-hololens) |
-
## January 2017
| New or changed topic | Description |
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index b19110b8f2..7cda17b22f 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -32,7 +32,8 @@
"breadcrumb_path": "/hololens/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "jdecker",
+ "audience": "ITPro",
+ "manager": "laurawi",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/devices/hololens/holographic-home.md b/devices/hololens/holographic-home.md
new file mode 100644
index 0000000000..576866ca2c
--- /dev/null
+++ b/devices/hololens/holographic-home.md
@@ -0,0 +1,90 @@
+---
+title: Navigate the Windows Mixed Reality home
+description: Navigate the Windows Mixed Reality home in Windows Holographic.
+ms.assetid: 742bc126-7996-4f3a-abb2-cf345dff730c
+ms.date: 08/07/2019
+keywords: hololens
+ms.prod: hololens
+ms.sitesec: library
+author: scooley
+ms.author: scooley
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Navigate the Windows Mixed Reality home
+
+## [Navigating MR Home](https://docs.microsoft.com/en-us/windows/mixed-reality/navigating-the-windows-mixed-reality-home)
+
+## Use the Start menu
+
+The **Start** menu on HoloLens is where you'll open apps and get to the HoloLens camera.
+
+Wherever you are in HoloLens, you can always open the **Start** menu by using the [bloom gesture](https://support.microsoft.com/help/12644/hololens-use-gestures) on HoloLens (1st gen) or tapping your wrist on HoloLens 2. Usually, you'll use it once to get to **Start**, but sometimes you might need to use it twice.
+
+> [!TIP]
+> When the **Start** menu is open, use the start gesture to hide it again.
+
+At the top of the **Start** menu, you'll see status indicators for Wi-Fi, battery, and volume, plus a clock. The tiles are your pinned apps. To talk to Cortana, select her tile, or just say "Hey Cortana" from anywhere on HoloLens. At the bottom you'll find the photo and video icons, which open the camera app.
+
+To see the rest of your apps, select **All apps**. To get back to **Start** from the **All apps** list, select **Pinned apps**.
+
+## Use apps on HoloLens
+
+Apps on HoloLens use either 2D view or holographic view. Apps with 2D view look like windows, and apps with holographic view surround you and become the only app you see.
+
+### Open apps
+
+You'll find your apps either pinned to **Start** or in the **All apps** list. To get to the **All apps** list, use the bloom gesture to go to **Start**, then select **All apps**.
+
+On **Start** or in the **All apps** list, select an app. It will open in a good position for viewing.
+
+>[!NOTE]
+>- Up to three 2D app windows can be active at a time. You can open more, but only three will remain active.
+>- Each open app can have one active window at a time, except Microsoft Edge, which can have up to three.
+>- If you're having problems with apps, make sure there's enough light in your space, and walk around so HoloLens has a current scan. If you keep having trouble, see [HoloLens and holograms: FAQ](https://support.microsoft.com/help/13456/hololens-and-holograms-faq) for more info.
+
+## Move, resize, and rotate apps
+
+Moving and resizing apps on HoloLens works a bit differently than it does on a PC. Instead of dragging the app, you'll use your gaze, along with a [gesture](https://support.microsoft.com/help/12644/hololens-use-gestures) or the [clicker](hololens-clicker.md). You can also rotate an app window in 3D space.
+
+> [!TIP]
+> Rearrange apps using your voice—gaze at an app and say "Face me," "Bigger," or "Smaller." Or have Cortana move an app for you: say "Hey Cortana, move <*app name*> here."
+
+### Move an app
+
+Gaze at the app, and then do one of the following.
+
+- Tap and hold to select the app. Move your hand to position the app, and raise your finger to place it.
+
+- Select **Adjust**, tap and hold, and move your hand to position the app. Raise your finger to place it, then select **Done**.
+- Select **Adjust**, click and hold the clicker, and move your hand to position the app. Release the clicker, then select **Done**.
+
+> [!TIP]
+> If you drop apps when you move them, make sure to keep your hand in the gesture frame by following it with your gaze.
+
+### Resize an app
+
+Gaze at the app, and then do one of the following.
+
+- Gaze at a corner or edge of an app window, and tap and hold. Move your hand to change the app's size, and raise your finger when you're done.
+
+- Select **Adjust**. Gaze at one of the blue squares at the corners of the app, tap and hold, then move your hand to resize the app. Raise your finger to release it, then select **Done**.
+- Select **Adjust**. Gaze at one of the blue squares at the corners of the app, click and hold the clicker, then move your hand to resize the app. Release the clicker, then select **Done**.
+
+> [!TIP]
+> In Adjust mode, you can move or resize any hologram.
+
+### Rotate an app
+
+Gaze at the app, and tap and hold with both hands to select it. Rotate the app by keeping one hand steady and moving your other hand around it. When you're done, raise both index fingers.
+
+## Close apps
+
+To close an app that uses 2D view, gaze at it, then select **Close**.
+
+To close an app that uses holographic view, use the bloom gesture to leave holographic view, then select **Close**.
+
+## Pin apps
+
+Keep your favorite apps handy by pinning them to **Start**. In the **All apps** list, gaze at an app to highlight it. Tap and hold until the menu appears, then select **Pin**. To unpin an app, gaze at the app on **Start**, then tap and hold and select **Unpin**.
diff --git a/devices/hololens/holographic-photos-and-video.md b/devices/hololens/holographic-photos-and-video.md
new file mode 100644
index 0000000000..25e8d4a104
--- /dev/null
+++ b/devices/hololens/holographic-photos-and-video.md
@@ -0,0 +1,42 @@
+---
+title: Create, share, and view photos and video
+description: Create, share, and view photos and video
+ms.assetid: 1b636ec3-6186-4fbb-81b2-71155aef0593
+keywords: hololens
+ms.prod: hololens
+ms.sitesec: library
+author: Teresa-Motiv
+ms.author: v-tea
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 8/12/19
+ms.reviewer:
+manager: jarrettr
+appliesto:
+- Hololens (1st gen)
+---
+
+# Create, share, and view photos and video
+
+Use your HoloLens to take photos and videos that capture the holograms you've placed in your world.
+
+To sync your photos and videos to OneDrive, open the OneDrive app and select **Settings** > **Camera upload**, and then turn on **Camera upload**.
+
+## Take a photo
+
+Use the [bloom](https://support.microsoft.com/help/12644/hololens-use-gestures) gesture to go to **Start**, then select **Photo**. Use gaze to position the photo frame, then air tap to take the picture. The picture will be saved to your collection in the Photos app.
+
+Want to snap a quick pic? Press the volume up and volume down buttons at the same time. [Where are the buttons?](https://support.microsoft.com/help/12649/hololens-whats-in-the-box)
+
+## Take a video
+
+Use the bloom gesture to go to **Start**, then select **Video**. Use gaze to position the video frame, then air tap to start recording. To stop recording, use bloom once. The video will be saved to your collection in the Photos app.
+
+To start recording more quickly, press and hold the volume up and volume down buttons simultaneously until a 3-second countdown begins. To stop recording, tap both buttons.
+
+> [!TIP]
+> You can always have Cortana take a photo or a video for you. Just say "Hey Cortana, take a photo" or "Hey Cortana, take a video." [What else can I say to Cortana?](hololens-cortana.md)
+
+[Take + share photos and video with Mixed reality capture](https://docs.microsoft.com/en-us/windows/mixed-reality/mixed-reality-capture)
+
+[Find and view your photos](https://docs.microsoft.com/en-us/windows/mixed-reality/see-your-photos)
diff --git a/devices/hololens/hololens-clicker-restart-recover.md b/devices/hololens/hololens-clicker-restart-recover.md
index 81c7ffc704..25e49740c9 100644
--- a/devices/hololens/hololens-clicker-restart-recover.md
+++ b/devices/hololens/hololens-clicker-restart-recover.md
@@ -16,6 +16,8 @@ ms.localizationpriority: medium
# Restart or recover the HoloLens clicker
+[Clicker recovery](https://support.microsoft.com/en-us/help/15555)
+
Here are some things to try if the HoloLens clicker is unresponsive or isn’t working well.
## Restart the clicker
diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md
new file mode 100644
index 0000000000..c702921e14
--- /dev/null
+++ b/devices/hololens/hololens-connect-devices.md
@@ -0,0 +1,46 @@
+---
+title: Connect to Bluetooth and USB-C devices
+description: This guide walks through connecting to Bluetooth and USB-C devices and accessories.
+ms.assetid: 01af0848-3b36-4c13-b797-f38ad3977e30
+ms.prod: hololens
+ms.sitesec: library
+author: Teresa-Motiv
+ms.author: v-tea
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 8/12/19
+manager: jarrettr
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Connect devices and accessories
+
+## Pair Bluetooth devices
+
+Pair a Bluetooth mouse and keyboard with HoloLens, then use them to interact with holograms and to type anywhere you'd use the holographic keyboard. Pair the HoloLens [clicker](hololens-clicker.md) for a different way to interact with HoloLens.
+
+> [!NOTE]
+> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may appear as available in HoloLens settings, but aren't supported. [Learn more](http://go.microsoft.com/fwlink/p/?LinkId=746660).
+
+### Pair a Bluetooth keyboard or mouse
+
+1. Turn on your keyboard or mouse and make it discoverable. The way you make it discoverable depends on the device. Check the device or visit the manufacturer's website to learn how.
+
+1. Go to **Start**, then select **Settings**.
+1. Select **Devices** and make sure Bluetooth is on. When you see the device name, select **Pair** and follow the instructions.
+
+### Pair the clicker
+
+1. Use the bloom gesture to go to **Start**, then select **Settings**.
+
+1. Select **Devices** and make sure Bluetooth is on.
+1. Use the tip of a pen to press and hold the clicker's pairing button until the status light blinks white. Make sure to hold the button down until the light starts blinking. [Where's the pairing button?](hololens-clicker.md)
+1. On the pairing screen, select **Clicker** > **Pair**.
+
+## Connect USB-C devices
+
+## Connect to Miracast
+
+> Applies to HoloLens 2 only.
diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md
index dfe9539b1b..03ad75f637 100644
--- a/devices/hololens/hololens-cortana.md
+++ b/devices/hololens/hololens-cortana.md
@@ -2,26 +2,63 @@
title: Cortana on HoloLens
description: Cortana can help you do all kinds of things on your HoloLens
ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed
-ms.reviewer: jarrettrenshaw
-ms.date: 07/01/2019
-manager: v-miegge
+ms.date: 08/14/2019
keywords: hololens
ms.prod: hololens
ms.sitesec: library
author: v-miegge
ms.author: v-miegge
ms.topic: article
+manager: jarrettr
ms.localizationpriority: medium
---
-# Cortana on HoloLens
+# Use your voice with HoloLens
+
+You can use your voice to do many of the same things you do with gestures on HoloLens, like taking a quick photo or opening an app.
+
+## Voice commands
+
+Get around HoloLens faster with these basic commands. If you turn Cortana off, "Hey Cortana" voice commands won't be available, but you'll still be able to use the following built-in voice commands.
+
+**Select**. Use this instead of air tap. Gaze at a hologram, then say "Select."
+
+**Go to start**. Say "Go to Start" anytime to bring up the **Start** menu. Or when you're in an immersive app, say "Go to Start" to get to the quick actions menu.
+
+**Move this**. Instead of air tapping and dragging an app, say "Move this" and use gaze to move it.
+
+**Face me**. Gaze at a hologram, and then say "Face me" to turn it your way.
+
+**Bigger/Smaller**. Gaze at a hologram, and then say "Bigger" or "Smaller" to resize it.
+
+Many buttons and other elements on HoloLens also respond to your voice—for example, **Adjust** and **Close** on the app bar. To find out if a button is voice-enabled, rest your gaze on it for a moment. If it is, you'll see a voice tip.
+
+## Dictation mode
+
+Tired of typing? Switch to dictation mode any time the holographic keyboard is active. Select the microphone icon to get started, or say "Start dictating." To stop dictating, select **Done** or say "Stop dictating." To delete what you just dictated, say "Delete that."
+
+> [!NOTE]
+> You need an Internet connection to use dictation mode.
+
+HoloLens dictation uses explicit punctuation, meaning that you say the name of the punctuation you want to use. For instance, you might say "Hey **comma** what are you up to **question mark**."
+
+Here are the punctuation keywords you can use:
+
+- Period, comma, question mark, exclamation point/exclamation mark
+- New line/new paragraph
+- Semicolon, colon
+- Open quote(s), close quote(s)
+- Hashtag, smiley/smiley face, frowny, winky
+- Dollar, percent
+
+Sometimes it's helpful to spell out things like email addresses. For instance, to dictate example@outlook.com, you'd say "E X A M P L E at outlook dot com."
+
+## Do more with Cortana
Cortana can help you do all kinds of things on your HoloLens, from searching the web to shutting down your device. To get her attention, select Cortana on Start or say "Hey Cortana" anytime.
-## What do I say to Cortana
-
Here are some things you can try saying (remember to say "Hey Cortana" first):
- What can I say?
@@ -44,7 +81,8 @@ Here are some things you can try saying (remember to say "Hey Cortana" first):
- Tell me a joke.
>[!NOTE]
->- Some Cortana features you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens Development Edition. Cortana on HoloLens is English only, and the Cortana experience may vary among regions.
->- Cortana is on the first time you use HoloLens. You can turn her off in Cortana's settings. In the All apps list, select Cortana > Settings. Then turn off Cortana can give you suggestions, ideas, reminders, alerts, and more.
+>
+>- Some Cortana features you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens Development Edition. Cortana on HoloLens is English-only, and the Cortana experience may vary among regions.
+>- Cortana is on the first time you use HoloLens. You can turn her off in Cortana's settings. In the **All apps** list, select **Cortana > Settings**. Then turn off Cortana can give you suggestions, ideas, reminders, alerts, and more.
>- If Cortana isn't responding to "Hey Cortana," go to Cortana's settings and check to make sure she's on.
->- If you turn Cortana off, "Hey Cortana" voice commands won't be available, but you'll still be able to use other commands (like "Select" and "Place").
+>- If you turn Cortana off, "Hey Cortana" voice commands won't be available, but you'll still be able to use other commands (such as "Select" and "Place").
diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md
index 8cbeaf26eb..838674f0dc 100644
--- a/devices/hololens/hololens-encryption.md
+++ b/devices/hololens/hololens-encryption.md
@@ -102,6 +102,6 @@ Provisioning packages are files created by the Windows Configuration Designer to
Encryption is silent on HoloLens. To verify the device encryption status:
-- On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted.
+- On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted.
diff --git a/devices/hololens/hololens-find-and-save-files.md b/devices/hololens/hololens-find-and-save-files.md
index ba459eff13..e147ac2845 100644
--- a/devices/hololens/hololens-find-and-save-files.md
+++ b/devices/hololens/hololens-find-and-save-files.md
@@ -16,6 +16,9 @@ ms.localizationpriority: medium
# Find and save files on HoloLens
+Add content from [Find and save files](https://docs.microsoft.com/en-us/windows/mixed-reality/saving-and-finding-your-files)
+
+
Files you create on HoloLens, including Office documents, photos, and videos, are saved to your HoloLens. To view and manage them, you can use the File Explorer app on HoloLens or File Explorer on your PC. To sync photos and other files to the cloud, use the OneDrive app on HoloLens.
## View files on HoloLens
diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md
index c4f9c80521..7ff737a027 100644
--- a/devices/hololens/hololens-install-apps.md
+++ b/devices/hololens/hololens-install-apps.md
@@ -1,16 +1,15 @@
---
-title: Install apps on HoloLens (HoloLens)
+title: Install apps on HoloLens
description: The recommended way to install apps on HoloLens is to use Microsoft Store for Business.
ms.prod: hololens
ms.mktglfcycl: manage
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: scooley
+ms.author: scooley
ms.topic: article
ms.localizationpriority: medium
ms.date: 10/23/2018
ms.reviewer:
-manager: dansimp
---
# Install apps on HoloLens
@@ -72,9 +71,9 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft.
>[!IMPORTANT]
>When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
-1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
+1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
-2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_usb).
+2. On a PC, connect to the HoloLens using [Wi-Fi](https://docs.microsoft.com/windows/mixed-reality/connecting-to-wi-fi-on-hololens) or USB.
3. [Create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
@@ -84,13 +83,7 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft.
4. In the Windows Device Portal, click **Apps**.
-
+
5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, such as dependency frameworks, select **I want to specify framework packages**.
6. In **Deploy**, click **Go** to deploy the app package and added dependencies to the connected HoloLens.
-
-
-
-
-
-
diff --git a/devices/hololens/hololens-network.md b/devices/hololens/hololens-network.md
new file mode 100644
index 0000000000..6f7cb43370
--- /dev/null
+++ b/devices/hololens/hololens-network.md
@@ -0,0 +1,40 @@
+---
+title: Connect to a network
+description: Connect to a wi-fi or ethernet network with HoloLens.
+ms.assetid: 0895606e-96c0-491e-8b1c-52e56b00365d
+ms.prod: hololens
+ms.sitesec: library
+author: Teresa-Motiv
+ms.author: v-tea
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 8/12/19
+manager: jarrettr
+ms.reviewer:
+appliesto:
+- Hololens
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Connect to a network
+
+You'll need to be connected to a network to do most things on your HoloLens. [What can I do offline](hololens-offline.md)?
+
+## Connecting for the first time
+
+The first time you use your HoloLens, you'll be guided through connecting to a Wi-Fi network. If you have trouble connecting to Wi-Fi during setup, make sure your network is either open, password protected, or a captive portal network and doesn't require using certificates to connect. After setup, you can connect to other types of Wi-Fi networks.
+
+## Connecting to Wi-Fi after setup
+
+1. Go to **Start**, then select **Settings**.
+
+1. _HoloLens (1st gen) only_ - Use your gaze to position the Settings app, then air tap to place it, or say "Place."
+
+1. Select **Network & Internet** > **Wi-Fi**. If you don't see your network, scroll down the list.
+
+1. Select a network > **Connect**.
+
+1. Type the network password if asked for one, then select **Next**.
+
+Also see [Connect to Wifi](https://docs.microsoft.com/en-us/windows/mixed-reality/connecting-to-wi-fi-on-hololens)
diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md
index 49190e6907..7de0cc1381 100644
--- a/devices/hololens/hololens-offline.md
+++ b/devices/hololens/hololens-offline.md
@@ -16,6 +16,9 @@ ms.localizationpriority: medium
# Use HoloLens offline
+[Use offline](https://support.microsoft.com/en-us/help/12645)
+
+
To set up HoloLens, you'll need to connect to a Wi-Fi network—the setup tutorial will show you how.
## HoloLens limitations
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index 6cb247c60b..6d0b1dcf12 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -1,88 +1,147 @@
---
-title: HoloLens in the enterprise requirements and FAQ (HoloLens)
-description: Requirements and FAQ for general use, Wi-Fi, and device management for HoloLens in the enterprise.
+title: Set up HoloLens in a commercial environment
+description: Learn more about deploying and managing HoloLens in enterprise environments.
ms.prod: hololens
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+ms.assetid: 88bf50aa-0bac-4142-afa4-20b37c013001
+author: scooley
+ms.author: scooley
ms.topic: article
ms.localizationpriority: medium
-ms.date: 06/04/2018
-ms.reviewer:
-manager: dansimp
+ms.date: 07/15/2019
---
-# Microsoft HoloLens in the enterprise: requirements and FAQ
+# Deploy HoloLens in a commercial environment
-When you develop for HoloLens, there are [system requirements and tools](https://developer.microsoft.com/windows/mixed-reality/install_the_tools) that you need. In an enterprise environment, there are also a few requirements to use and manage HoloLens which are listed below.
+TODO - [Commercial features](https://docs.microsoft.com/en-us/windows/mixed-reality/commercial-features)
-## Requirements
+Deploy and configure HoloLens at scale in a commercial setting.
-### General use
-- Microsoft account or Azure Active Directory (Azure AD) account
-- Wi-Fi network to set up HoloLens
+This article includes:
->[!NOTE]
->After you set up HoloLens, you can use it offline [with some limitations](https://support.microsoft.com/help/12645/hololens-use-hololens-offline).
+- infrastructure requirements and recommendations for HoloLens management
+- tools for provisioning HoloLens
+- instructions for remote device management
+- options for application deployment
+This guide assumes basic familiarity with HoloLens. Follow the [get started guide](./hololens-setup.md) to set up HoloLens for the first time.
+
+## Infrastructure for managing HoloLens
+
+HoloLens are, at their core, a Windows mobile device integrated with Azure. They work best in commercial environments with wireless network availability (wi-fi) and access to Microsoft services.
+
+Critical cloud services include:
+
+- Azure active directory (AAD)
+- Windows Update (WU)
+
+Commercial customers will need enterprise mobility management (EMM) or mobile device management (MDM) infrastructure in order to manage HoloLens devices at scale. This guide uses [Microsoft Intune](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune) as an example though any provider with full support for Microsoft Policy can support HoloLens. Ask your mobile device management provider if they support HoloLens 2.
+
+HoloLens does support a limited set of cloud disconnected experiences.
+
+## Initial set up at scale
+
+The HoloLens out of box experience is great for setting up one or two devices or for experiencing HoloLens for the first time. If you're provisioning many HoloLens devices, however, picking your language and settings manually for each device gets tedious and limits scale.
+
+This section:
+
+1. introduces Windows provisioning using provisioning packages
+1. walks through applying a provisioning package during first setup
+
+### Create and apply a provisioning package
+
+The best way to configure many new HoloLens devices is with Windows provisioning. Using Windows provisioning, you can specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in minutes.
+
+A [provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) (.ppkg) is a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device.
+
+### Upgrade to Windows Holographic for Business
+
+- HoloLens Enterprise license XML file
+
+Some of the HoloLens configurations that you can apply in a provisioning package:
+
+- Apply certificates to the device
+- Set up a Wi-Fi connection
+- Pre-configure out of box questions like language and locale.
+- (HoloLens 2) bulk enroll in mobile device management
+- (HoloLens v1) Apply key to enable Windows Holographic for Business
+
+Follow [this guide](https://docs.microsoft.com/hololens/hololens-provisioning) to create and apply a provisioning package to HoloLens.
+
+### Set up user identity and enroll in device management
+
+The last step setting up HoloLens for management at scale is to enroll devices with mobile device management infrastructure. There are several ways to enroll:
+
+1. Bulk enrollment with a security token in a provisioning package.
+ Pros: this is the most automated approach
+ Cons: takes initial server-side setup
+1. Auto-enroll on user sign in
+ Pros: easiest approach
+ Cons: users will need to complete set up after the provisioning package has been applied
+1. _not recommended_ - Manually enroll post-setup
+ Pros: possible to enroll after set up
+ Cons: most manual approach and devices aren't centrally manageable until they're manually enrolled.
+
+Learn more about MDM enrollment [here](hololens-enroll-mdm.md).
+
+## Ongoing device management
+
+Ongoing device management will depend on your mobile device management infrastructure. Most have the same general functionality but the user interface may vary widely.
+
+This article outlines [policies and capabilities HoloLens supports](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#hololens).
+
+[This article](https://docs.microsoft.com/intune/windows-holographic-for-business) talks about Intune's management tools for HoloLens.
+
+### Push compliance policy via Intune
+
+[Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are not-compliant.
+
+For example, you can create a policy that requires Bitlocker be enabled.
+
+[Create compliance policies with Intune](https://docs.microsoft.com/intune/compliance-policy-create-windows).
+
+### Manage updates
+
+Intune includes a feature called update rings for Windows 10 devices, including HoloLens 2 and HoloLens v1 (with Holographic for Business). Update rings include a group of settings that determine how and when updates are installed.
+
+For example, you can create a maintenance window to install updates, or choose to restart after updates are installed. You can also choose to pause updates indefinitely until you're ready to update.
+
+Read more about [configuring update rings with Intune](https://docs.microsoft.com/en-us/intune/windows-update-for-business-configure).
+
+## Application management
+
+Manage holoLens applications through:
+
+1. Microsoft Store
+ The Microsoft Store is the best way to distribute and consume application on HoloLens. There is a great set of core HoloLens applications already available in the store or you can [publish your own](https://docs.microsoft.com/en-us/windows/uwp/publish/).
+ All applications in the store are available publicly to everyone, if that isn't acceptable, checkout the Microsoft Store for Business.
+
+1. [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/)
+ Microsoft Store for Business and Education is a custom store for your corporate environment. It lets you use the Microsoft Store built into Windows 10 and HoloLens to find, acquire, distribute, and manage apps for your organization. It lets you deploy apps that are specific to your commercial environment but not to the world.
+
+1. Application deployment and management via Intune or another mobile device management solution
+ Most mobile device management solutions, including Intune, provide a way to deploy line of business applications directly to a set of enrolled devices. See this article for [Intune app install](https://docs.microsoft.com/intune/apps-deploy).
+
+1. _not recommended_ Device Portal
+ Applications can also be installed on HoloLens directly using the Windows Device Portal. This isn't recommended since Developer Mode has to be enabled to use device portal.
+
+Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololens/hololens-install-apps).
+
+## Get support
+
+Get support through the Microsoft support site.
+
+[File a support request](https://support.microsoft.com/en-us/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f).
+
+## Technical Reference
+
+### Wireless network EAP support
-### Supported wireless network EAP methods
- PEAP-MS-CHAPv2
- PEAP-TLS
-- TLS
+- TLS
- TTLS-CHAP
- TTLS-CHAPv2
- TTLS-MS-CHAPv2
- TTLS-PAP
- TTLS-TLS
-
-### Device management
- - Users have Azure AD accounts with [Intune license assigned](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4)
- - Wi-Fi network
- - Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
-
-### Upgrade to Windows Holographic for Business
-- HoloLens Enterprise license XML file
-
-
-## FAQ for HoloLens
-
-
-#### Is Windows Hello for Business supported on HoloLens?
-
-Windows Hello for Business (using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens:
-
-1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md).
-2. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello))
-3. On HoloLens, the user can then set up a PIN from **Settings** > **Sign-in Options** > **Add PIN**.
-
->[!NOTE]
->Users who sign in with a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview).
-
-#### Does the type of account change the sign-in behavior?
-
-Yes, the behavior for the type of account impacts the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type.
-
-- Microsoft account: signs in automatically
-- Local account: always asks for password, not configurable in **Settings**
-- Azure AD: asks for password by default; configurable by **Settings** to no longer ask for password.
-
->[!NOTE]
->Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is respected only when the device goes into StandBy.
-
-
-#### How do I remove a HoloLens device from the Intune dashboard?
-
-You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard.
-
-
-## Related resources
-
-[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/documentation/articles/active-directory-get-started-premium/)
-
-[Get started with Intune](https://docs.microsoft.com/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
-
-[Enroll devices for management in Intune](https://docs.microsoft.com/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
-
-[Azure AD editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/)
-
diff --git a/devices/hololens/hololens-start.md b/devices/hololens/hololens-start.md
new file mode 100644
index 0000000000..d303ee0c44
--- /dev/null
+++ b/devices/hololens/hololens-start.md
@@ -0,0 +1,57 @@
+---
+title: HoloLens (1st gen) first start
+description: Go through the first start experience for HoloLens (1st gen).
+ms.assetid: 0136188e-1305-43be-906e-151d70292e87
+ms.prod: hololens
+author: Teresa-Motiv
+ms.author: v-tea
+ms.topic: article
+ms.date: 8/12/19
+manager: jarrettr
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Set up HoloLens for the first time
+
+The first time you turn on your HoloLens, you'll be guided through calibrating your device, setting up your device, and signing in. This section walks through the HoloLens (1st gen) first start experience.
+
+In the next section, you'll learn how to work with HoloLens and interact with holograms. Skip ahead to [Get started with HoloLens (1st gen)](holographic-home.md)
+
+## Before you start
+
+Before you get started, make sure you have the following available:
+
+**A Wi-Fi connection**. You'll need to connect your HoloLens to a Wi-Fi network to set it up. The first time you connect, you'll need an open or password-protected network that doesn't require navigating to a website or using certificates to connect. After setup, you can [use your device offline](hololens-offline.md).
+
+**A Microsoft account**. You'll also need to sign in to HoloLens with a Microsoft account (or with your work account, if your organization owns the device). If you don't have a Microsoft account, go to [account.microsoft.com](http://account.microsoft.com) and set one up for free.
+
+**A safe, well-lit space with no tripping hazards**. [Health and safety info](http://go.microsoft.com/fwlink/p/?LinkId=746661).
+
+**The optional comfort accessories** that came with your HoloLens, to help you get the most comfortable fit. [More on fit and comfort](https://support.microsoft.com/help/12632/hololens-fit-your-hololens).
+
+> [!NOTE]
+> [Cortana](hololens-cortana.md) is already on and ready to guide you the first time you use your HoloLens (though she won't be able to respond to your questions until after you set up your device). You can turn Cortana off at any time in Cortana's settings.
+
+## Set up your HoloLens
+
+Set up your HoloLens and your user account.
+
+1. The first time you use your HoloLens, you'll be guided through connecting to a Wi-Fi network. If you have trouble connecting to Wi-Fi during setup, make sure your network is either open, password protected, or a captive portal network and doesn't require using certificates to connect. After setup, you can connect to other types of Wi-Fi networks.
+1. Sign in to your user account. You'll choose between **My work or school owns it** and **I own it**.
+ - When you choose **My work or school owns it**, you sign in by using an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
+ 1. Enter your organizational account information.
+ 1. Accept the privacy statement.
+ 1. Sign in by using your Azure AD credentials. This may redirect to your organization's sign-in page.
+ 1. Continue with device setup.
+ - When you choose **I own it**, you sign in by using a Microsoft account. After setup is complete, you can [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
+ 1. Enter your Microsoft account information.
+ 1. Enter your password. If your Microsoft account requires [two-step verification (2FA)](https://blogs.technet.microsoft.com/microsoft_blog/2013/04/17/microsoft-account-gets-more-secure/), complete the verification process.
+1. The device sets your time zone based on information obtained from the Wi-Fi network.
+1. Follow the first-start guides to learn how to interact with holograms, control the HoloLens with your voice, and access the start menu.
+
+Congratulations! Setup is complete and you can begin using HoloLens.
+
+## Next steps
+
+- [Get started with HoloLens (1st gen)](holographic-home.md)
diff --git a/devices/hololens/hololens-status.md b/devices/hololens/hololens-status.md
new file mode 100644
index 0000000000..22c5e995db
--- /dev/null
+++ b/devices/hololens/hololens-status.md
@@ -0,0 +1,36 @@
+---
+title: HoloLens status
+description: Shows the status of HoloLens online services.
+author: todmccoy
+ms.author: v-todmc
+ms.reviewer: luoreill
+manager: jarrettr
+audience: Admin
+ms.topic: article
+ms.prod: hololens
+localization_priority: Medium
+ms.sitesec: library
+---
+
+# HoloLens status
+
+✔️ **All services are active**
+
+**Key** ✔️ Good, ⓘ Information, ⚠ Warning, ❌ Critical
+
+Area|HoloLens (1st gen)|HoloLens 2
+----|:----:|:----:
+[Azure services](https://status.azure.com/en-us/status)|✔️|✔️
+[Store app](https://www.microsoft.com/en-us/store/collections/hlgettingstarted/hololens)|✔️|✔️
+[Apps](https://www.microsoft.com/en-us/hololens/apps)|✔️|✔️
+[MDM](https://docs.microsoft.com/en-us/hololens/hololens-enroll-mdm)|✔️|✔️
+
+## Notes and related topics
+
+[Frequently asked questions about using Skype for HoloLens](https://support.skype.com/en/faq/FA34641/frequently-asked-questions-about-using-skype-for-hololens)
+
+For more details about the status of the myriad Azure Services that can connect to HoloLens, see [Azure status](https://azure.microsoft.com/en-us/status/).
+
+For more details about current known issues, see [HoloLens known issues](https://docs.microsoft.com/en-us/windows/mixed-reality/hololens-known-issues).
+
+Follow HoloLens on [Twitter](https://twitter.com/HoloLens) and subscribe on [Reddit](https://www.reddit.com/r/HoloLens/).
diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md
index ef830c3525..418cfce2d9 100644
--- a/devices/hololens/hololens-updates.md
+++ b/devices/hololens/hololens-updates.md
@@ -22,9 +22,9 @@ manager: dansimp
For a complete list of Update policies, see [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business).
To configure how and when updates are applied, use the following policies:
-- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
-- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
-- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
+- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
+- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
+- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates:
- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate)
diff --git a/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md b/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md
index 3254e13d6c..e499178078 100644
--- a/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md
+++ b/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md
@@ -2,8 +2,6 @@
title: General Data Privacy Regulation and Surface Hub
description: Informs users who are subject to EU data protection laws of their options regarding how to delete or restrict diagnostic data produced by Surface Hub.
ms.assetid: 087713CF-631D-477B-9CC6-EFF939DE0186
-ms.reviewer:
-manager:
keywords: GDPR
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md b/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md
index 9e70a8755c..439d3c68d7 100644
--- a/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md
+++ b/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md
@@ -2,8 +2,6 @@
title: What to do if the Connect app in Surface Hub exits unexpectedly
description: Describes how to resolve an issue where the Connect app in Surface Hub exits to the Welcome screen after cycling through inputs.
ms.assetid: 9576f4e4-d936-4235-8a03-d8a6fe9e8fec
-ms.reviewer:
-manager:
keywords: surface, hub, connect, input, displayport
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json
index 5f16f8d171..2ab787b803 100644
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@@ -27,7 +27,9 @@
"breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
+ "audience": "ITPro",
"ms.topic": "article",
+ "manager": "laurawi",
"ms.mktglfcycl": "manage",
"ms.sitesec": "library",
"ms.date": "05/23/2017",
diff --git a/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md b/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md
index 93c56d4e28..003795ec22 100644
--- a/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md
+++ b/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md
@@ -2,8 +2,6 @@
title: Known issues and additional information about Microsoft Surface Hub
description: Outlines known issues with Microsoft Surface Hub.
ms.assetid: aee90a0c-fb05-466e-a2b1-92de89d0f2b7
-ms.reviewer:
-manager:
keywords: surface, hub, issues
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md b/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md
index 1ec6740c76..98ad30890e 100644
--- a/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md
+++ b/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md
@@ -2,8 +2,6 @@
title: Surface Hub may install updates and restart outside maintenance hours
description: troubleshooting information for Surface Hub regarding automatic updates
ms.assetid: 6C09A9F8-F9CF-4491-BBFB-67A1A1DED0AA
-ms.reviewer:
-manager:
keywords: surface hub, maintenance window, update
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-2s-setup.md b/devices/surface-hub/surface-hub-2s-setup.md
index 7df7a694dc..76e5ac1055 100644
--- a/devices/surface-hub/surface-hub-2s-setup.md
+++ b/devices/surface-hub/surface-hub-2s-setup.md
@@ -97,4 +97,4 @@ If you insert a USB thumb drive with a provisioning package into one of the USB
- 4. Follow the instructions to complete first time Setup.
+4. Follow the instructions to complete first time Setup.
diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md
index 9ddfa628e6..9c1f451f63 100644
--- a/devices/surface-hub/surface-hub-start-menu.md
+++ b/devices/surface-hub/surface-hub-start-menu.md
@@ -3,12 +3,12 @@ title: Configure Surface Hub Start menu
description: Use MDM to customize the Start menu on Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: robmazz
+ms.author: robmazz
ms.topic: article
-ms.date: 01/17/2018
+ms.date: 08/15/2018
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
@@ -107,7 +107,7 @@ There are a few key differences between Start menu customization for Surface Hub
## Example: Start layout that includes a Microsoft Edge link
-This example shows a link to a website and a link to a .pdf file.
+This example shows a link to a website and a link to a .pdf file. The secondary tile for Microsoft Edge uses a 150 x 150 pixel icon.
```xml
@@ -165,10 +165,10 @@ This example shows a link to a website and a link to a .pdf file.
TileID="6153963000"
DisplayName="cstrtqbiology.pdf"
Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x45b7376e -pinnedTimeHigh 0x01d2356c -securityFlags 0x00000000 -tileType 0x00000000 -url 0x0000003a https://www.ada.gov/regs2010/2010ADAStandards/Guidance_2010ADAStandards.pdf"
- Square150x150LogoUri="ms-appx:///"
+ Square150x150LogoUri="ms-appx:///Assets/MicrosoftEdgeSquare150x150.png"
Wide310x150LogoUri="ms-appx:///"
- ShowNameOnSquare150x150Logo="true"
- ShowNameOnWide310x150Logo="true"
+ ShowNameOnSquare150x150Logo="true"
+ ShowNameOnWide310x150Logo="false"
BackgroundColor="#ff4e4248"
Size="4x2"
Row="4"
@@ -181,8 +181,6 @@ This example shows a link to a website and a link to a .pdf file.
```
>[!NOTE]
->Microsoft Edge tile logos won't appear on secondary tiles because they aren't stored in Surface Hub.
->
>The default value for `ForegroundText` is light; you don't need to include `ForegroundText` in your XML unless you're changing the value to dark.
## More information
diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md
index 881dfa5e4b..0f70604dac 100644
--- a/devices/surface-hub/surface-hub-update-history.md
+++ b/devices/surface-hub/surface-hub-update-history.md
@@ -2,8 +2,6 @@
title: Surface Hub update history
description: Surface Hub update history
ms.assetid: d66a9392-2b14-4cb2-95c3-92db0ae2de34
-ms.reviewer:
-manager:
keywords:
ms.prod: surface-hub
ms.sitesec: library
@@ -26,6 +24,18 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
## Windows 10 Team Creators Update 1703
+
+June 18, 2019—update for Team edition based on KB4503289* (OS Build 15063.1897)
+
+This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
+
+* Addresses an issue with log collection for Microsoft Surface Hub 2S.
+* Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully.
+
+Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
+*[KB4503289](https://support.microsoft.com/help/4503289)
+
+
May 28, 2019—update for Team edition based on KB4499162* (OS Build 15063.1835)
@@ -484,4 +494,4 @@ This update to the Surface Hub includes quality improvements and security fixes.
* [Windows 10 November update: FAQ](http://windows.microsoft.com/windows-10/windows-update-faq)
* [Microsoft Surface update history](http://go.microsoft.com/fwlink/p/?LinkId=724327)
* [Microsoft Lumia update history](http://go.microsoft.com/fwlink/p/?LinkId=785968)
-* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447)
\ No newline at end of file
+* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447)
diff --git a/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md b/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md
index 12678d2a9c..7a30ff1e37 100644
--- a/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md
+++ b/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md
@@ -2,8 +2,6 @@
title: Surface Hub Miracast channels 149-165 not supported in Europe, Japan, Israel
description: Surface Hub Miracast channels 149-165 not supported in Europe, Japan, Israel
ms.assetid: 8af3a832-0537-403b-823b-12eaa7a1af1f
-ms.reviewer:
-manager:
keywords:
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md b/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md
index 2cb3ab2414..d03cfe3055 100644
--- a/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md
+++ b/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md
@@ -2,8 +2,6 @@
title: How to use cloud recovery for BitLocker on a Surface Hub
description: How to use cloud recovery for BitLocker on a Surface Hub
ms.assetid: c0bde23a-49de-40f3-a675-701e3576d44d
-ms.reviewer:
-manager:
keywords: Accessibility settings, Settings app, Ease of Access
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
index eedbfe9ae5..40a5768d27 100644
--- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
+++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
@@ -2,8 +2,6 @@
title: Using the Surface Hub Hardware Diagnostic Tool to test a device account
description: Using the Surface Hub Hardware Diagnostic Tool to test a device account
ms.assetid: a87b7d41-d0a7-4acc-bfa6-b9070f99bc9c
-ms.reviewer:
-manager:
keywords: Accessibility settings, Settings app, Ease of Access
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md
index 2c8a3793a6..e921c71e09 100644
--- a/devices/surface-hub/whiteboard-collaboration.md
+++ b/devices/surface-hub/whiteboard-collaboration.md
@@ -34,7 +34,7 @@ To get Whiteboard to Whiteboard collaboration up and running, you’ll need to m
- Currently not utilizing Office 365 Germany or Office 365 operated by 21Vianet
- Surface Hub needs to be updated to Windows 10, version 1607 or newer
- Port 443 needs to be open since Whiteboard makes standard https requests
-- Whiteboard.ms, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies
+- Whiteboard.ms, whiteboard.microsoft.com, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies
>[!NOTE]
@@ -68,4 +68,5 @@ After you’re done, you can export a copy of the Whiteboard collaboration for y
## Related topics
- [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub)
-- [Support documentation for Microsoft Whiteboard](https://support.office.com/en-us/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01)
+
+- [Support documentation for Microsoft Whiteboard](https://support.office.com/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01)
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 15a51ed349..b5f4d56009 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -1,6 +1,6 @@
# [Surface](index.md)
-## Get started
+## [Get started](get-started.md)
## Overview
### [Surface Pro Tech specs](https://www.microsoft.com/surface/devices/surface-pro/tech-specs)
@@ -30,15 +30,16 @@
### [Surface System SKU reference](surface-system-sku-reference.md)
## Manage
+### [Optimizing wireless connectivity for Surface devices](surface-wireless-connect.md)
### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
### [Battery Limit setting](battery-limit.md)
### [Surface Brightness Control](microsoft-surface-brightness-control.md)
### [Surface Asset Tag](assettag.md)
### [Surface firmware and driver updates](update.md)
-### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+### [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
### [Surface Dock Updater](surface-dock-updater.md)
-### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
+
## Secure
### [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
@@ -46,12 +47,13 @@
### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
+### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
-## Support
+## Troubleshoot
### [Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md)
-### [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)
-### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
-### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
+#### [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)
+#### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
+#### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
### [Surface Data Eraser](microsoft-surface-data-eraser.md)
### [Top support solutions for Surface devices](support-solutions-surface.md)
### [Change history for Surface documentation](change-history-for-surface.md)
diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md
index 60ff9078bd..e0df401dea 100644
--- a/devices/surface/assettag.md
+++ b/devices/surface/assettag.md
@@ -20,9 +20,9 @@ for Surface devices. It works on Surface Pro 3 and all newer Surface devices.
## System requirements
- - Surface Pro 3 or later
+- Surface Pro 3 or later
- - UEFI firmware version 3.9.150.0 or later
+- UEFI firmware version 3.9.150.0 or later
## Using Surface Asset Tag
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index 14eea5c91d..ea290fea58 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -15,6 +15,14 @@ ms.topic: article
This topic lists new and updated topics in the Surface documentation library.
+## August 2019
+
+| **New or changed topic** | **Description** |
+| ------------------------ | --------------- |
+| [Optimizing wireless connectivity for Surface devices](surface-wireless-connect.md) | New document highlights key wireless connectivity considerations for Surface devices in mobile scenarios. |
+| [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Updated to reflect minor changes in the file naming convention for Surface MSI files. |
+
+
## July 2019
| **New or changed topic** | **Description** |
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index 76e1c293cc..78eb4bd170 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -1,5 +1,5 @@
---
-title: Download the latest firmware and drivers for Surface devices (Surface)
+title: Deploy the latest firmware and drivers for Surface devices (Surface)
description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
ms.reviewer:
@@ -11,27 +11,43 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: dansimp
-ms.date: 11/15/2018
+ms.date: 08/13/2018
ms.author: dansimp
ms.topic: article
---
-# Deploying the latest firmware and drivers for Surface devices
+# Deploy the latest firmware and drivers for Surface devices
Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment.
-## Downloading MSI files
+## Download MSI files
To download MSI files, refer to the following Microsoft Support page:
- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)
Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices.
## Deploying MSI files
-Driver and firmware updates for Surface devices containing all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
-In the name of each of these files you will find a Windows build number, this number indicates the minimum supported build required to install the drivers and firmware contained within. Refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) for a list of the build numbers for each version. For example, to install the drivers contained in SurfacePro6_Win10_16299_1900307_0.msi file you must have Windows 10 Fall Creators Update version 1709, or newer installed on your Surface Pro 6.
+Driver and firmware updates for Surface devices consisting of all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
+The MSI file names contain useful information including the minimum supported Windows build number required to install the drivers and firmware. For example, to install the drivers contained in SurfaceBook_Win10_17763_19.080.2031.0.msi requires Windows 10 Fall Creators Update version 1709 or later installed on your Surface Book.
+
+To view build numbers for each version, refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
### Surface MSI naming convention
-Each .MSI file is named in accordance with a formula that begins with the product and Windows release information, followed by the Windows build number and version number, and ending with the revision of version number. SurfacePro6_Win10_16299_1900307_0.msi is classified as follows:
+Beginning in August 2019, MSI files use the following naming formula:
+
+- Product > Windows release > Windows build number > Version number > Revision of version number (typically zero).
+
+**Example:**
+SurfacePro6_Win10_18362_19.073.44195_0.msi :
+
+| Product | Windows release | Build | Version | Revision of version |
+| --- | --- | --- | --- | --- |
+| SurfacePro6 | Win10 | 18362 | 19.073.44195 | 0 |
+| | | | Indicates key date and sequence information. | Indicates release history of the update. |
+| | | | **19:** Signifies the year (2019). **073**: Signifies the month (July) and week of the release (3). **44195**: Signifies the minute of the month that the MSI file was created. |**0:** Signifies it's the first release of version 1907344195 and has not been re-released for any reason. |
+
+### Legacy Surface MSI naming convention
+Legacy MSI files prior to August 2019 followed the same overall naming formula but used a different method to derive the version number.
**Example:**
SurfacePro6_Win10_16299_1900307_0.msi :
@@ -39,8 +55,8 @@ SurfacePro6_Win10_16299_1900307_0.msi :
| Product | Windows release | Build | Version | Revision of version |
| --- | --- | --- | --- | --- |
| SurfacePro6 | Win10 | 16299 | 1900307 | 0 |
-| | | | Indicates key date and sequence information | Indicates release history of the MSI file |
-| | | | **19:** Signifies the year (2019) **003**: Signifies that it’s the third release of 2019 **07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. |
+| | | | Indicates key date and sequence information. | Indicates release history of the MSI file. |
+| | | | **19:** Signifies the year (2019) **003**: Signifies that it’s the third release of 2019. **07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. |
Look to the **version** number to determine the latest files that contain the most recent security updates. For example, you might need to install the newest file from the following list:
@@ -60,9 +76,9 @@ There are no downloadable firmware or driver updates available for Surface devic
For more information about deploying Surface drivers and firmware, refer to:
-- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates).
+- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
-- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business).
+- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business)
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
index 75607e9f4d..026be430c1 100644
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@@ -25,7 +25,9 @@
"breadcrumb_path": "/surface/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
+ "audience": "ITPro",
"ms.topic": "article",
+ "manager": "laurawi",
"ms.date": "05/09/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/devices/surface/images/wifi-band.png b/devices/surface/images/wifi-band.png
new file mode 100644
index 0000000000..38681a9dc8
Binary files /dev/null and b/devices/surface/images/wifi-band.png differ
diff --git a/devices/surface/images/wifi-roaming.png b/devices/surface/images/wifi-roaming.png
new file mode 100644
index 0000000000..eb539c9bd6
Binary files /dev/null and b/devices/surface/images/wifi-roaming.png differ
diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
index 6dcd9db277..4a3c4f93b3 100644
--- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
+++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
@@ -59,14 +59,14 @@ instant on/instant off functionality typical of smartphones. S0ix, also
known as Deepest Runtime Idle Platform State (DRIPS), is the default
power mode for Surface devices. Modern standby has two modes:
- - **Connected standby.** The default mode for up-to-the minute
- delivery of emails, messaging, and cloud-synced data, connected
- standby keeps Wi-Fi on and maintains network connectivity.
+- **Connected standby.** The default mode for up-to-the minute
+ delivery of emails, messaging, and cloud-synced data, connected
+ standby keeps Wi-Fi on and maintains network connectivity.
- - **Disconnected standby.** An optional mode for extended battery
- life, disconnected standby delivers the same instant-on experience
- and saves power by turning off Wi-Fi, Bluetooth, and related network
- connectivity.
+- **Disconnected standby.** An optional mode for extended battery
+ life, disconnected standby delivers the same instant-on experience
+ and saves power by turning off Wi-Fi, Bluetooth, and related network
+ connectivity.
To learn more about modern standby, refer to the [Microsoft Hardware Dev
Center](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-wake-sources).
@@ -76,13 +76,13 @@ Center](https://docs.microsoft.com/windows-hardware/design/device-experiences/mo
Surface integrates the following features designed to help users
optimize the power management experience:
- - [Singular power plan](#singular-power-plan)
+- [Singular power plan](#singular-power-plan)
- - [Simplified power settings user
- interface](#simplified-power-settings-user-interface)
+- [Simplified power settings user
+ interface](#simplified-power-settings-user-interface)
- - [Windows performance power
- slider](#windows-performance-power-slider)
+- [Windows performance power
+ slider](#windows-performance-power-slider)
### Singular power plan
@@ -171,4 +171,4 @@ To learn more, see:
- [Battery
saver](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver)
-- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
\ No newline at end of file
+- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md
index 34ccb3aa18..41b2e3d994 100644
--- a/devices/surface/microsoft-surface-brightness-control.md
+++ b/devices/surface/microsoft-surface-brightness-control.md
@@ -25,16 +25,16 @@ designed to help reduce thermal load and lower the overall carbon
footprint for deployed Surface devices. The tool automatically dims the screen when not in use and
includes the following configuration options:
- - Period of inactivity before dimming the display.
+- Period of inactivity before dimming the display.
- - Brightness level when dimmed.
+- Brightness level when dimmed.
- - Maximum brightness level when in use.
+- Maximum brightness level when in use.
**To run Surface Brightness Control:**
- - Install surfacebrightnesscontrol.msi on the target device and Surface Brightness Control
- will begin working immediately.
+- Install surfacebrightnesscontrol.msi on the target device and Surface Brightness Control
+ will begin working immediately.
## Configuring Surface Brightness Control
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 2d0b406711..956924345f 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -61,8 +61,8 @@ The following steps show you how to create a deployment share for Windows 10 tha
>[!NOTE]
>As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
> * Deployment tools
- > * User State Migration Tool (USMT)
- > * Windows Preinstallation Environment (WinPE)
+ > * User State Migration Tool (USMT)
+ > * Windows Preinstallation Environment (WinPE)
> [!NOTE]
> As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
@@ -75,11 +75,11 @@ The following steps show you how to create a deployment share for Windows 10 tha
- **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3.
- - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**.
+ - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**.
- **Windows 10 Deployment Services**
- - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot.
+ - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot.
- **Windows 10 Source Files**
@@ -100,25 +100,25 @@ The following steps show you how to create a deployment share for Windows 10 tha
7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
- - Download of Windows ADK
+ - Download of Windows ADK
- - Installation of Windows ADK
+ - Installation of Windows ADK
- - Download of MDT
+ - Download of MDT
- - Installation of MDT
+ - Installation of MDT
- - Download of Surface apps and drivers
+ - Download of Surface apps and drivers
- - Creation of the deployment share
+ - Creation of the deployment share
- - Import of Windows installation files into the deployment share
+ - Import of Windows installation files into the deployment share
- - Import of the apps and drivers into the deployment share
+ - Import of the apps and drivers into the deployment share
- - Creation of rules and task sequences for Windows deployment
+ - Creation of rules and task sequences for Windows deployment
- 
+ 
*Figure 5. The Installation Progress window*
diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md
index a6099038b0..5cc8e9de9d 100644
--- a/devices/surface/support-solutions-surface.md
+++ b/devices/surface/support-solutions-surface.md
@@ -25,7 +25,7 @@ These are the top Microsoft Support solutions for common issues experienced when
## Screen cracked or scratched issues
-- [Cracked screen and physical damage](https://www.microsoft.com/surface/support/warranty-service-and-recovery/surface-is-damaged)
+- [Contact Microsoft Support](https://support.microsoft.com/en-us/supportforbusiness/productselection)
## Device cover or keyboard issues
diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
index 83613f4a36..47046fbd72 100644
--- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
+++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
@@ -29,10 +29,9 @@ Before you run the diagnostic tool, make sure you have the latest Windows update
**To run the Surface Diagnostic Toolkit for Business:**
1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/SDT4B).
-2. Select Run and follow the on-screen instructions.
-
-The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. For more detailed information on Surface Diagnostic Toolkit for Business, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).
+2. Select Run and follow the on-screen instructions. For full details, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).
+The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required.
# If you still need help
If the Surface Diagnostic Toolkit for Business didn’t fix the problem, you can also:
diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md
new file mode 100644
index 0000000000..fe1ff34fe6
--- /dev/null
+++ b/devices/surface/surface-wireless-connect.md
@@ -0,0 +1,84 @@
+---
+title: Optimizing wireless connectivity for Surface devices
+description: This topic provides guidance around recommended wireless connectivity settings for network admins and users.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: dansimp
+ms.localizationpriority: medium
+ms.author: dansimp
+ms.topic: article
+ms.date: 08/15/2019
+ms.reviewer:
+manager: dansimp
+---
+# Optimizing wireless connectivity for Surface devices
+
+## Introduction
+
+To stay connected with all-day battery life, Surface devices implement wireless connectivity settings that balance performance and power conservation. Outside of the most demanding mobility scenarios, users can maintain sufficient wireless connectivity without modifying default network adapter or related settings.
+
+In congested network environments, organizations can implement purpose-built wireless protocols across multiple network access points to facilitate roaming. This page highlights key wireless connectivity considerations in mobile scenarios utilizing Surface Pro 3 and later, Surface Book, Surface Laptop, and Surface Go.
+
+## Prerequisites
+
+This document assumes you have successfully deployed a wireless network that supports 802.11n (Wi-Fi 4) or later in accordance with best practice recommendations from leading equipment vendors.
+
+## Configuring access points for optimal roaming capabilities
+
+If you’re managing a wireless network that’s typically accessed by many different types of client devices, it’s recommended to enable specific protocols on access points (APs) in your WLAN, as described in [Fast Roaming with 802.11k, 802.11v, and 802.11r](https://docs.microsoft.com/en-us/windows-hardware/drivers/network/fast-roaming-with-802-11k--802-11v--and-802-11r). Surface devices can take advantage of the following wireless protocols:
+
+- **802.11r.** “**Fast BSS Transition”** accelerates connecting to new wireless access points by reducing the number of frames required before your device can access another AP as you move around with your device.
+- **802.11k.** **“Neighbor Reports”** provides devices with information on current conditions at neighboring access points. It can help your Surface device choose the best AP using criteria other than signal strength such as AP utilization.
+
+Surface Go devices can also use 802.11v “BSS Transition Management Frames,” which functions much like 802.11k in providing information on nearby candidate APs.
+
+## Managing user settings
+
+You can achieve optimal roaming capabilities through a well-designed network that supports 802.11r and 802.11k across all access points. Ensuring that your network is properly configured to provide users with the best wireless experience is the recommended approach versus attempting to manage user settings on individual devices. Moreover, in many corporate environments Surface device users won’t be able to access advanced network adapter settings without explicit permissions or local admin rights. In other lightly managed networks, users can benefit by knowing how specific settings can impact their ability to remain connected.
+
+### Recommended user settings and best practices
+
+In certain situations, modifying advanced network adapter settings built into Surface devices may facilitate a more reliable connection. Keep in mind however that an inability to connect to wireless resources is more often due to an access point issue, networking design flaw, or environmental site issue.
+
+> [!NOTE]
+> How you hold your Surface Pro or Surface Go can also affect signal strength. If you’re experiencing a loss of bandwidth, check that you’re not holding the top of the display, where the Wi-Fi radio receiver is located. Although holding the top of the display does not block wireless signals, it can trigger the device driver to initiate changes that reduce connectivity.
+
+### Keep default Auto setting for dual bandwidth capability
+On most Surface devices, you can configure client network adapter settings to only connect to wireless APs over 5 gigahertz (GHz), only connect over 2.4 GHz, or let the operating system choose the best option (default Auto setting).
+
+**To access network adapter settings go to:**
+
+- **Start** > **Control panel** > **Network and Sharing Center** > **your Wi-Fi adapter** > **Properties** > **Configure** > **Advanced**.
+
+
+
+Keep in mind that 2.4 GHz has some advantages over 5 GHz: It extends further and more easily penetrates through walls or other solid objects. Unless you have a clear use case that warrants connecting to 5 GHz, it’s recommended to leave the Band setting in the default state to avoid possible adverse consequences. For example:
+
+
+- Many hotspots found in hotels, coffee shops, and airports still only use 2.4 GHz, effectively blocking access to devices if Band is set to 5 GHz Only.
+- Since Miracast wireless display connections require the initial handshake to be completed over 2.4 GHz channels, devices won’t be able to connect at 5 GHz Only.
+
+> [!NOTE]
+> By default Surface devices will prefer connecting to 5 GHz if available. However, to preserve power in a low battery state, Surface will first look for a 2.4 GHz connection.
+
+You can also toggle the band setting as needed to suit your environment. For example, users living in high density apartment buildings with multiple Wi-Fi hotspots — amid the presence of consumer devices all broadcasting via 2.4 GHz — will likely benefit by setting their Surface device to connect on 5 GHz only and then revert to Auto when needed.
+
+### Roaming aggressiveness settings on Surface Go
+
+Front-line workers using Surface Go may wish to select a signal strength threshold that prompts the device to search for a new access point when signal strength drops (roaming aggressiveness). By default, Surface devices attempt to roam to a new access point if the signal strength drops below **Medium** (50 percent signal strength). Note that whenever you increase roaming aggressiveness, you accelerate battery power consumption.
+
+Leave the roaming aggressiveness setting in the default state unless you’re encountering connectivity issues in specific mobile scenarios such as conducting environmental site inspections while also maintaining voice and video connectivity during a conference meeting. If you don’t notice any improvement revert to the default **Medium** state.
+
+**To enable roaming aggressiveness on Surface Go:**
+
+1. Go to **Start > Control Panel** > **Network and Internet** > **Network and Sharing Center.**
+2. Under **Connections** select **Wi-Fi** and then select **Properties.**
+3. Select **Client for Microsoft Networks** and then select **Configure**
+4. Select **Advanced** > **Roaming Aggressiveness** and choose ****your preferred value from the drop-down menu.
+
+
+
+## Conclusion
+
+Surface devices are designed with default settings for optimal wireless connectivity balanced alongside the need to preserve battery life. The most effective way of enabling reliable connectivity for Surface devices is through a well-designed network that supports 802.11r and 802.11k. Users can adjust network adapter settings or roaming aggressiveness but should only do so in response to specific environmental factors and revert to default state if there’s no noticeable improvement.
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index 72f123de7f..fc7cf4147e 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -14,7 +14,7 @@ ms.reviewer:
manager: dansimp
---
-# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
+# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
#### Applies to
* Surface Pro 3
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index af796bd2c4..dff968bbf3 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -103,39 +103,45 @@ The sample scripts include examples of how to set Surface UEFI settings and how
### Specify certificate and package names
-The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates the names for the SEMM configuration package and SEMM reset package. The certificate and package names are specified on lines 56 through 67 in the ConfigureSEMM.ps1 script:
+The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script:
```
56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition
57 $packageRoot = "$WorkingDirPath\Config"
- 58
- 59 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot }
- 60 Copy-Item "$WorkingDirPath\FabrikamOwnerSigner.pfx" $packageRoot
- 61
- 62 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath "FabrikamOwnerSigner.pfx"
- 63 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamSignerProvisioningPackage.pkg"
- 64 $resetPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamUniversalResetPackage.pkg"
- 65
- 66 # If your PFX file requires a password then it can be set here, otherwise use a blank string.
- 67 $password = "1234"
+ 58 $certName = "FabrikamSEMMSample.pfx"
+ 59 $DllVersion = "2.26.136.0"
+ 60
+ 61 $certNameOnly = [System.IO.Path]::GetFileNameWithoutExtension($certName)
+ 62 $ProvisioningPackage = $certNameOnly + "ProvisioningPackage.pkg"
+ 63 $ResetPackage = $certNameOnly + "ResetPackage.pkg"
+ 64
+ 65 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot }
+ 66 Copy-Item "$WorkingDirPath\$certName" $packageRoot
+ 67
+ 68 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath $certName
+ 69 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath $ProvisioningPackage
+ 70 $resetPackageName = Join-Path -Path $packageRoot -ChildPath $ResetPackage
+ 71
+ 72 # If your PFX file requires a password then it can be set here, otherwise use a blank string.
+ 73 $password = "1234"
```
-Replace the **FabrikamOwnerSigner.pfx** value for the **$privateOwnerKey** variable with the name of your SEMM Certificate file on both lines 60 and 62. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory.
+Replace the **FabrikamSEMMSample.pfx** value for the **$certName** variable with the name of your SEMM Certificate file on line 58. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory.
-Replace the **FabrikamSignerProvisioningPackage.pkg** and **FabrikamUniversalResetPackage.pkg** values on lines 63 and 64 to define the **$ownerPackageName** and **$resetPackageName** variables with your desired names for the SEMM configuration and reset packages. These packages will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script.
+Owner package and reset package will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script.
-On line 67, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text.
+On line 73, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text.
>[!Note]
->The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 144-149, to accomplish this:
+>The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this:
```
-144 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
-145 # For convenience we get the thumbprint here and present to the user.
-146 $pw = ConvertTo-SecureString $password -AsPlainText -Force
-147 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
-148 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
-149 Write-Host "Thumbprint =" $certPrint.Thumbprint
+150 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
+151 # For convenience we get the thumbprint here and present to the user.
+152 $pw = ConvertTo-SecureString $password -AsPlainText -Force
+153 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+154 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
+155 Write-Host "Thumbprint =" $certPrint.Thumbprint
```
Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process:
@@ -153,46 +159,47 @@ Administrators with access to the certificate file (.pfx) can read the thumbprin
### Configure permissions
-The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 202 in the sample script with the comment **# Configure Permissions** and continues to line 238. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras:
+The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras:
```
-202 # Configure Permissions
-203 foreach ($uefiV2 IN $surfaceDevices.Values) {
-204 # Here we define which "identities" will be allowed to modify which settings
-205 # PermissionSignerOwner = The primary SEMM enterprise owner identity
-206 # PermissionLocal = The user when booting to the UEFI pre-boot GUI
-207 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 =
-208 # Additional user identities created so that the signer owner
-209 # can delegate permission control for some settings.
-210 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner
-211 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal)
-212
-213 # Make all permissions owner only by default
-214 foreach ($setting IN $uefiV2.Settings.Values) {
-215 $setting.ConfiguredPermissionFlags = $ownerOnly
-216 }
-217 # Allow the local user to change their own password
-218 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser
-219
-220 # Allow the local user to change the state of the TPM
-221 $uefiV2.Settings["Trusted Platform Module (TPM)"].ConfiguredPermissionFlags = $ownerAndLocalUser
-222
-223 # Allow the local user to change the state of the Front and Rear cameras
-224 $uefiV2.SettingsById[302].ConfiguredPermissionFlags = $ownerAndLocalUser
-225 $uefiV2.SettingsById[304].ConfiguredPermissionFlags = $ownerAndLocalUser
-226
-227
-228 # Create a unique package name based on family and LSV.
-229 # We will choose a name that can be parsed by later scripts.
-230 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg"
-231 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
-232
-233 # Build and sign the Permission package then save it to a file.
-234 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv)
-235 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
-236 $permissionPackageStream.CopyTo($permissionPackage)
-237 $permissionPackage.Close()
-238 }
+210 # Configure Permissions
+211 foreach ($uefiV2 IN $surfaceDevices.Values) {
+212 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
+213 Write-Host "Configuring permissions"
+214 Write-Host $Device.Model
+215 Write-Host "======================="
+216
+217 # Here we define which "identities" will be allowed to modify which settings
+218 # PermissionSignerOwner = The primary SEMM enterprise owner identity
+219 # PermissionLocal = The user when booting to the UEFI pre-boot GUI
+220 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 =
+221 # Additional user identities created so that the signer owner
+222 # can delegate permission control for some settings.
+223 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner
+224 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal)
+225
+226 # Make all permissions owner only by default
+227 foreach ($setting IN $uefiV2.Settings.Values) {
+228 $setting.ConfiguredPermissionFlags = $ownerOnly
+229 }
+230
+231 # Allow the local user to change their own password
+232 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser
+233
+234 Write-Host ""
+235
+236 # Create a unique package name based on family and LSV.
+237 # We will choose a name that can be parsed by later scripts.
+238 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg"
+239 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
+240
+241 # Build and sign the Permission package then save it to a file.
+242 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv)
+243 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
+244 $permissionPackageStream.CopyTo($permissionPackage)
+245 $permissionPackage.Close()
+246 }
+247 }
```
Each **$uefiV2** variable identifies a Surface UEFI setting by setting name or ID, and then configures the permissions to one of the following values:
@@ -204,69 +211,169 @@ You can find information about the available settings names and IDs for Surface
### Configure settings
-The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 282 through line 312 in the sample script. The region appears as follows:
+The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows:
```
-282 # Configure Settings
-283 foreach ($uefiV2 IN $surfaceDevices.Values) {
-284 # In this demo, we will start by setting every setting to the default factory setting.
-285 # You may want to start by doing this in your scripts
-286 # so that every setting gets set to a known state.
-287 foreach ($setting IN $uefiV2.Settings.Values) {
-288 $setting.ConfiguredValue = $setting.DefaultValue
-289 }
-290
-291 # If you want to set something to a different value from the default,
-292 # here are examples of how to accomplish this.
-293 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = "Disabled"
-294
-295 # If you want to leave the setting unmodified, set it to $null
-296 # PowerShell has issues setting things to $null so ClearConfiguredValue()
-297 # is supplied to do this explicitly.
-298 # Here is an example of leaving the UEFI administrator password as-is,
-299 # even after we initially set it to factory default above.
-300 $uefiV2.SettingsById[501].ClearConfiguredValue()
-301
-302 # Create a unique package name based on family and LSV.
-303 # We will choose a name that can be parsed by later scripts.
-304 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg"
-305 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
-306
-307 # Build and sign the Settings package then save it to a file.
-308 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv)
-309 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
-310 $settingsPackageStream.CopyTo($settingsPackage)
-311 $settingsPackage.Close()
-312 }
+291 # Configure Settings
+292 foreach ($uefiV2 IN $surfaceDevices.Values) {
+293 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
+294 Write-Host "Configuring settings"
+295 Write-Host $Device.Model
+296 Write-Host "===================="
+297
+298 # In this demo, we will start by setting every setting to the default factory setting.
+299 # You may want to start by doing this in your scripts
+300 # so that every setting gets set to a known state.
+301 foreach ($setting IN $uefiV2.Settings.Values) {
+302 $setting.ConfiguredValue = $setting.DefaultValue
+303 }
+304
+305 $EnabledValue = "Enabled"
+306 $DisabledValue = "Disabled"
+307
+308 # If you want to set something to a different value from the default,
+309 # here are examples of how to accomplish this.
+310 # This disables IPv6 PXE boot by name:
+311 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = $DisabledValue
+312
+313 # This disables IPv6 PXE Boot by ID:
+314 $uefiV2.SettingsById[400].ConfiguredValue = $DisabledValue
+315
+316 Write-Host ""
+317
+318 # If you want to leave the setting unmodified, set it to $null
+319 # PowerShell has issues setting things to $null so ClearConfiguredValue()
+320 # is supplied to do this explicitly.
+321 # Here is an example of leaving the UEFI administrator password as-is,
+322 # even after we initially set it to factory default above.
+323 $uefiV2.SettingsById[501].ClearConfiguredValue()
+324
+325 # Create a unique package name based on family and LSV.
+326 # We will choose a name that can be parsed by later scripts.
+327 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg"
+328 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
+329
+330 # Build and sign the Settings package then save it to a file.
+331 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv)
+332 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
+333 $settingsPackageStream.CopyTo($settingsPackage)
+334 $settingsPackage.Close()
+335 }
```
Like the permissions set in the **Configure Permissions** section of the script, the configuration of each Surface UEFI setting is performed by defining the **$uefiV2** variable. For each line defining the **$uefiV2** variable, a Surface UEFI setting is identified by setting name or ID and the configured value is set to **Enabled** or **Disabled**.
-If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 300 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**.
+If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 323 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**.
You can find information about the available settings names and IDs for Surface UEFI in the [Settings Names and IDs](#settings-names-and-ids) section later in this article.
### Settings registry key
-To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes a registry key that can be used to identify enrolled systems as having been installed with the SEMM configuration script. This key can be found at the following location:
+To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location:
-`HKLM\SOFTWARE\Microsoft\Surface\SEMM\Enabled_Version1000`
+`HKLM\SOFTWARE\Microsoft\Surface\SEMM`
-The following code fragment, found on lines 352-363, is used to write this registry key:
+The following code fragment, found on lines 380-477, is used to write these registry keys:
```
-352 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM"
-353 New-RegKey $SurfaceRegKey
-354 $SurfaceRegValue = Get-ItemProperty $SurfaceRegKey Enabled_Version1000 -ErrorAction SilentlyContinue
-355
-356 If ($SurfaceRegValue -eq $null)
-357 {
-358 New-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -PropertyType String -Value 1 | Out-Null
-359 }
-360 Else
-361 {
-362 Set-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -Value 1
-363 }
+380 # For SCCM or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry:
+381 $UTCDate = (Get-Date).ToUniversalTime().ToString()
+382 $certIssuer = $certPrint.Issuer
+383 $certSubject = $certPrint.Subject
+384
+385 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM"
+386 New-RegKey $SurfaceRegKey
+387 $LSVRegValue = Get-ItemProperty $SurfaceRegKey LSV -ErrorAction SilentlyContinue
+388 $DateTimeRegValue = Get-ItemProperty $SurfaceRegKey LastConfiguredUTC -ErrorAction SilentlyContinue
+389 $OwnershipSessionIdRegValue = Get-ItemProperty $SurfaceRegKey OwnershipSessionId -ErrorAction SilentlyContinue
+390 $PermissionSessionIdRegValue = Get-ItemProperty $SurfaceRegKey PermissionSessionId -ErrorAction SilentlyContinue
+391 $SettingsSessionIdRegValue = Get-ItemProperty $SurfaceRegKey SettingsSessionId -ErrorAction SilentlyContinue
+392 $IsResetRegValue = Get-ItemProperty $SurfaceRegKey IsReset -ErrorAction SilentlyContinue
+393 $certUsedRegValue = Get-ItemProperty $SurfaceRegKey CertName -ErrorAction SilentlyContinue
+394 $certIssuerRegValue = Get-ItemProperty $SurfaceRegKey CertIssuer -ErrorAction SilentlyContinue
+395 $certSubjectRegValue = Get-ItemProperty $SurfaceRegKey CertSubject -ErrorAction SilentlyContinue
+396
+397
+398 If ($LSVRegValue -eq $null)
+399 {
+400 New-ItemProperty -Path $SurfaceRegKey -Name LSV -PropertyType DWORD -Value $lsv | Out-Null
+401 }
+402 Else
+403 {
+404 Set-ItemProperty -Path $SurfaceRegKey -Name LSV -Value $lsv
+405 }
+406
+407 If ($DateTimeRegValue -eq $null)
+408 {
+409 New-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -PropertyType String -Value $UTCDate | Out-Null
+410 }
+411 Else
+412 {
+413 Set-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -Value $UTCDate
+414 }
+415
+416 If ($OwnershipSessionIdRegValue -eq $null)
+417 {
+418 New-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -PropertyType String -Value $ownerSessionIdValue | Out-Null
+419 }
+420 Else
+421 {
+422 Set-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -Value $ownerSessionIdValue
+423 }
+424
+425 If ($PermissionSessionIdRegValue -eq $null)
+426 {
+427 New-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -PropertyType String -Value $permissionSessionIdValue | Out-Null
+428 }
+429 Else
+430 {
+431 Set-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -Value $permissionSessionIdValue
+432 }
+433
+434 If ($SettingsSessionIdRegValue -eq $null)
+435 {
+436 New-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -PropertyType String -Value $settingsSessionIdValue | Out-Null
+437 }
+438 Else
+439 {
+440 Set-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -Value $settingsSessionIdValue
+441 }
+442
+443 If ($IsResetRegValue -eq $null)
+444 {
+445 New-ItemProperty -Path $SurfaceRegKey -Name IsReset -PropertyType DWORD -Value 0 | Out-Null
+446 }
+447 Else
+448 {
+449 Set-ItemProperty -Path $SurfaceRegKey -Name IsReset -Value 0
+450 }
+451
+452 If ($certUsedRegValue -eq $null)
+453 {
+454 New-ItemProperty -Path $SurfaceRegKey -Name CertName -PropertyType String -Value $certName | Out-Null
+455 }
+456 Else
+457 {
+458 Set-ItemProperty -Path $SurfaceRegKey -Name CertName -Value $certName
+459 }
+460
+461 If ($certIssuerRegValue -eq $null)
+462 {
+463 New-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -PropertyType String -Value $certIssuer | Out-Null
+464 }
+465 Else
+466 {
+467 Set-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -Value $certIssuer
+468 }
+469
+470 If ($certSubjectRegValue -eq $null)
+471 {
+472 New-ItemProperty -Path $SurfaceRegKey -Name CertSubject -PropertyType String -Value $certSubject | Out-Null
+473 }
+474 Else
+475 {
+476 Set-ItemProperty -Path $SurfaceRegKey -Name CertSubject -Value $certSubject
+477 }
```
### Settings names and IDs
diff --git a/education/docfx.json b/education/docfx.json
index c336a4de5b..15587928ef 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -27,6 +27,9 @@
"ROBOTS": "INDEX, FOLLOW",
"audience": "windows-education",
"ms.topic": "article",
+ "ms.technology": "windows",
+ "manager": "laurawi",
+ "audience": "ITPro",
"breadcrumb_path": "/education/breadcrumb/toc.json",
"ms.date": "05/09/2017",
"feedback_system": "GitHub",
diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md
index d6010ad62c..3047fe8d8d 100644
--- a/education/get-started/configure-microsoft-store-for-education.md
+++ b/education/get-started/configure-microsoft-store-for-education.md
@@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
author: levinec
diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md
index 170c94d505..986a6c4af0 100644
--- a/education/get-started/enable-microsoft-teams.md
+++ b/education/get-started/enable-microsoft-teams.md
@@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
author: levinec
diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md
index 9495aa1d31..8633a400ed 100644
--- a/education/get-started/finish-setup-and-other-tasks.md
+++ b/education/get-started/finish-setup-and-other-tasks.md
@@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
author: levinec
diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md
index a36cdb45da..64cf56759a 100644
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: hero-article
+ms.topic: article
ms.localizationpriority: medium
ms.pagetype: edu
author: levinec
diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md
index 0d5813061e..f0887073f7 100644
--- a/education/get-started/set-up-office365-edu-tenant.md
+++ b/education/get-started/set-up-office365-edu-tenant.md
@@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
author: levinec
diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md
index bc564efa41..7bd5123140 100644
--- a/education/get-started/set-up-windows-10-education-devices.md
+++ b/education/get-started/set-up-windows-10-education-devices.md
@@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
author: levinec
@@ -26,6 +26,8 @@ We recommend using the latest build of Windows 10, version 1703 on your educatio
To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options and follow the link to watch the video or follow the step-by-step guide:
- **Option 1: [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
- **Option 2: [Go through Windows OOBE and join the device to Azure AD](set-up-windows-education-devices.md)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
+- **Option 3: [Bulk enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-bulk-enroll)**
+- **Option 4: [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)**
> [!div class="step-by-step"]
> [<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md
index 582134817f..cb83590354 100644
--- a/education/get-started/set-up-windows-education-devices.md
+++ b/education/get-started/set-up-windows-education-devices.md
@@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
author: levinec
diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md
index 9a4b451c83..1e6eac8cf8 100644
--- a/education/get-started/use-intune-for-education.md
+++ b/education/get-started/use-intune-for-education.md
@@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
author: levinec
@@ -21,7 +21,7 @@ manager: dansimp
> [<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
> [Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
-Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the Intune for Education documentation.
+Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 and iOS devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the Intune for Education documentation.
## Example - Set up Intune for Education, buy apps from the Store, and install the apps
In this walkthrough, we'll go through a sample scenario and walk you through the steps to:
@@ -221,4 +221,4 @@ You're now done assigning apps to all users in your tenant. It's time to set up
## Related topic
-[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
+[Set up iOS device management](https://docs.microsoft.com/en-us/intune-education/setup-ios-device-management)
diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md
index 6a025b3ff4..14a34bcda5 100644
--- a/education/get-started/use-school-data-sync.md
+++ b/education/get-started/use-school-data-sync.md
@@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
author: levinec
diff --git a/education/index.md b/education/index.md
index f07f216119..8dfa606f42 100644
--- a/education/index.md
+++ b/education/index.md
@@ -56,7 +56,7 @@ ms.prod: w10
Deployment Guidance
-
Dive right into the step-by-step process for the easiest deployment path to M365 EDU. We walk you through setting up cloud infrastructure, configuring and managing devices, and migrating on-premise servers for Sharepoint and Exchange to the cloud.
+
Learn the easiest path to deploy Microsoft 365 Education through our step-by-step process. We walk you through cloud deployment, device management,apps set up and configuration, and how to find deployment assistance.
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index bdb1df0296..b4cdaad1f4 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -5,7 +5,7 @@ keywords: education, Microsoft 365 Education, trial, full cloud IT solution, sch
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
ROBOTS: noindex,nofollow
diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md
index d92973b13b..7c0eaafd0a 100644
--- a/education/windows/s-mode-switch-to-edu.md
+++ b/education/windows/s-mode-switch-to-edu.md
@@ -42,7 +42,7 @@ S mode is an enhanced security mode of Windows 10 – streamlined for security a
|Credential Guard | | | | X |
|Device Guard | | | | X |
-### Windows 10 in S mode is safe, secure, and fast.
+### Windows 10 in S mode is safe, secure, and fast.
However, in some limited scenarios, you might need to switch to Windows 10 Education. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
## How to switch
diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md
index 27ca52dfd3..546e8c7831 100644
--- a/education/windows/set-up-school-pcs-whats-new.md
+++ b/education/windows/set-up-school-pcs-whats-new.md
@@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: medium
author: mjcaparas
ms.author: macapara
-ms.date: 06/03/2019
+ms.date: 08/15/2019
ms.reviewer:
manager: dansimp
---
@@ -17,6 +17,15 @@ manager: dansimp
# What's new in Set up School PCs
Learn what’s new with the Set up School PCs app each week. Find out about new app features and functionality, and see updated screenshots. You'll also find information about past releases.
+
+## Week of June 24, 2019
+
+### Resumed support for Windows 10, version 1903 and later
+The previously mentioned provisioning problem was resolved, so the Set up School PCs app once again supports Windows 10, version 1903 and later. The Windows 10 settings that were removed are now back in the app.
+
+### Device rename made optional for Azure AD joined devices
+When you set up your Azure AD join devices in the Set up School PCs app, you no longer need to rename your devices. Set up School PCs will let you keep existing device names.
+
## Week of May 23, 2019
### Suspended support for Windows 10, version 1903 and later
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index eaa22faf91..1f8eb4eb0f 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -20,9 +20,9 @@ manager: dansimp
- Windows 10
You have two tools to choose from to set up PCs for your classroom:
- * Set up School PCs
- * Windows Configuration Designer
-
+* Set up School PCs
+* Windows Configuration Designer
+
Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account).
You can use the following diagram to compare the tools.
diff --git a/mdop/agpm/TOC.md b/mdop/agpm/TOC.md
index 1443cf78ae..319eeaf746 100644
--- a/mdop/agpm/TOC.md
+++ b/mdop/agpm/TOC.md
@@ -240,5 +240,6 @@
###### [AGPM Server Connection Settings](agpm-server-connection-settings.md)
###### [Feature Visibility Settings](feature-visibility-settings.md)
##### [Other Enhancements to the GPMC](other-enhancements-to-the-gpmc.md)
+## [Troubleshooting AGPM Upgrades](troubleshooting-agpm40-upgrades.md)
## [Resources for AGPM](resources-for-agpm.md)
diff --git a/mdop/agpm/index.md b/mdop/agpm/index.md
index 324327c269..3832e088c4 100644
--- a/mdop/agpm/index.md
+++ b/mdop/agpm/index.md
@@ -1,7 +1,7 @@
---
title: Advanced Group Policy Management
description: Advanced Group Policy Management
-author: jamiejdt
+author: dansimp
ms.assetid: 493ca3c3-c3d6-4bb1-9430-dc1e43c86bb0
ms.pagetype: mdop
ms.mktglfcycl: manage
diff --git a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
index dc69096e0f..090949bb7e 100644
--- a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
+++ b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
@@ -272,15 +272,17 @@ As an AGPM Administrator (Full Control), you designate the e-mail addresses of A
**To configure e-mail notification for AGPM**
-1. In the details pane, click the **Domain Delegation** tab.
+1. In **Group Policy Management Editor** , navigate to the **Change Control** folder
-2. In the **From e-mail address** field, type the e-mail alias for AGPM from which notifications should be sent.
+2. In the details pane, click the **Domain Delegation** tab.
-3. In the **To e-mail address** field, type the e-mail address for the user account to which you intend to assign the Approver role.
+3. In the **From e-mail address** field, type the e-mail alias for AGPM from which notifications should be sent.
-4. In the **SMTP server** field, type a valid SMTP mail server.
+4. In the **To e-mail address** field, type the e-mail address for the user account to which you intend to assign the Approver role.
-5. In the **User name** and **Password** fields, type the credentials of a user who has access to the SMTP service. Click **Apply**.
+5. In the **SMTP server** field, type a valid SMTP mail server.
+
+6. In the **User name** and **Password** fields, type the credentials of a user who has access to the SMTP service. Click **Apply**.
### Step 5: Delegate access
diff --git a/mdop/agpm/troubleshooting-agpm40-upgrades.md b/mdop/agpm/troubleshooting-agpm40-upgrades.md
new file mode 100644
index 0000000000..a1b6663214
--- /dev/null
+++ b/mdop/agpm/troubleshooting-agpm40-upgrades.md
@@ -0,0 +1,41 @@
+---
+title: Troubleshooting AGPM Upgrades
+description: Troubleshooting AGPM Upgrades
+author: jedodson
+ms.assetid: 1abbf0c1-fd32-46a8-a3ba-c005f066523d
+ms.reviewer:
+manager: dansimp
+ms.author: jedodson
+ms.pagetype: mdop
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.prod: w10
+ms.date: 06/16/2016
+---
+
+
+# Troubleshooting AGPM Upgrades
+
+This section lists common issues that you may encounter when you upgrade your Advanced Group Policy Management (AGPM) server to a newer version (e.g. AGPM 4.0 to AGPM 4.3). To diagnose issues not listed here, it may be helpful to view the [Troubleshooting AGPM](troubleshooting-agpm-agpm40.md) or for an AGPM Administrator (Full Control) to use logging and tracing. For more information, see [Configure Logging and Tracing](configure-logging-and-tracing-agpm40.md).
+
+## What problems are you having?
+
+- [Failed to generate a HTML GPO difference report (Error code 80004003)](#bkmk-error-80004003)
+
+### Failed to generate a HTML GPO difference report (Error code 80004003)
+
+- **Cause**: You have installed the AGPM upgrade package with an incorrect account.
+
+- **Solution**: You will need to be an AGPM administrator in order to fix this issue.
+
+ - Ensure you know the username & password of your **AGPM service account**.
+
+ - Log onto your AGPM server interactively as your AGPM service account.
+
+ - This is critically important, as the install will fail if you use a different account.
+
+ - Shutdown the AGPM service.
+
+ - Install the required hotfix.
+
+ - Connect to AGPM using an AGPM client to test that your difference reports are now functioning.
diff --git a/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md b/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md
index 1b90836822..5d1c399e81 100644
--- a/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md
+++ b/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: manikadhiman
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-application-licensing.md b/mdop/appv-v4/about-application-licensing.md
index 323ddc8447..039444d39d 100644
--- a/mdop/appv-v4/about-application-licensing.md
+++ b/mdop/appv-v4/about-application-licensing.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-application-virtualization-applications.md b/mdop/appv-v4/about-application-virtualization-applications.md
index bcde0caabe..81f4351171 100644
--- a/mdop/appv-v4/about-application-virtualization-applications.md
+++ b/mdop/appv-v4/about-application-virtualization-applications.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-application-virtualization-packages.md b/mdop/appv-v4/about-application-virtualization-packages.md
index cc5664e576..63e1915d67 100644
--- a/mdop/appv-v4/about-application-virtualization-packages.md
+++ b/mdop/appv-v4/about-application-virtualization-packages.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-application-virtualization-servers.md b/mdop/appv-v4/about-application-virtualization-servers.md
index 241dbca298..6078a1f5cb 100644
--- a/mdop/appv-v4/about-application-virtualization-servers.md
+++ b/mdop/appv-v4/about-application-virtualization-servers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md
index 2ece8bb435..2379da3dff 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md
index 6e0135e762..80134f7a39 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-45.md b/mdop/appv-v4/about-microsoft-application-virtualization-45.md
index 6747f077ed..827934974f 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-45.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-45.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md
index aa774f657e..f2d49596f4 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md
index d11db11a1f..ece900187a 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md
index 5973540792..ef4f01c277 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46.md b/mdop/appv-v4/about-microsoft-application-virtualization-46.md
index 394b921628..4e2161b45f 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-46.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-46.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-publishing.md b/mdop/appv-v4/about-publishing.md
index 54ba36cfd3..0aab27b334 100644
--- a/mdop/appv-v4/about-publishing.md
+++ b/mdop/appv-v4/about-publishing.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-sequencing-phases.md b/mdop/appv-v4/about-sequencing-phases.md
index 78f1f65733..e9f821e89a 100644
--- a/mdop/appv-v4/about-sequencing-phases.md
+++ b/mdop/appv-v4/about-sequencing-phases.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-sharing-package-accelerators-page.md b/mdop/appv-v4/about-sharing-package-accelerators-page.md
index c8cf061993..880688dd13 100644
--- a/mdop/appv-v4/about-sharing-package-accelerators-page.md
+++ b/mdop/appv-v4/about-sharing-package-accelerators-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-application-virtualization-sequencer.md b/mdop/appv-v4/about-the-application-virtualization-sequencer.md
index 139afed1b7..c51d335407 100644
--- a/mdop/appv-v4/about-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/about-the-application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-application-virtualization-server-management-console.md b/mdop/appv-v4/about-the-application-virtualization-server-management-console.md
index eb23af68bb..e3654b07e0 100644
--- a/mdop/appv-v4/about-the-application-virtualization-server-management-console.md
+++ b/mdop/appv-v4/about-the-application-virtualization-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-deployment-tab.md b/mdop/appv-v4/about-the-deployment-tab.md
index ecd0dce407..7a0a6c25b4 100644
--- a/mdop/appv-v4/about-the-deployment-tab.md
+++ b/mdop/appv-v4/about-the-deployment-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-the-files-tab.md b/mdop/appv-v4/about-the-files-tab.md
index 8d8c64dd8b..2281e4a415 100644
--- a/mdop/appv-v4/about-the-files-tab.md
+++ b/mdop/appv-v4/about-the-files-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-osd-tab.md b/mdop/appv-v4/about-the-osd-tab.md
index 6355f6a8a5..cd15ddc088 100644
--- a/mdop/appv-v4/about-the-osd-tab.md
+++ b/mdop/appv-v4/about-the-osd-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-properties-tab.md b/mdop/appv-v4/about-the-properties-tab.md
index 60f67d1be8..49f24affb3 100644
--- a/mdop/appv-v4/about-the-properties-tab.md
+++ b/mdop/appv-v4/about-the-properties-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-sequencer-console.md b/mdop/appv-v4/about-the-sequencer-console.md
index 836a438e18..c9ade6aad8 100644
--- a/mdop/appv-v4/about-the-sequencer-console.md
+++ b/mdop/appv-v4/about-the-sequencer-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-virtual-file-system-tab.md b/mdop/appv-v4/about-the-virtual-file-system-tab.md
index bd07a942c7..c63df76467 100644
--- a/mdop/appv-v4/about-the-virtual-file-system-tab.md
+++ b/mdop/appv-v4/about-the-virtual-file-system-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-the-virtual-registry-tab.md b/mdop/appv-v4/about-the-virtual-registry-tab.md
index 71e0e3aa94..580a4456c0 100644
--- a/mdop/appv-v4/about-the-virtual-registry-tab.md
+++ b/mdop/appv-v4/about-the-virtual-registry-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-virtual-services-tab.md b/mdop/appv-v4/about-the-virtual-services-tab.md
index 94b51a9dd2..9da1a5c4f1 100644
--- a/mdop/appv-v4/about-the-virtual-services-tab.md
+++ b/mdop/appv-v4/about-the-virtual-services-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-using-the-sequencer-command-line.md b/mdop/appv-v4/about-using-the-sequencer-command-line.md
index 844d28f414..b54eeb6152 100644
--- a/mdop/appv-v4/about-using-the-sequencer-command-line.md
+++ b/mdop/appv-v4/about-using-the-sequencer-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-virtual-environments.md b/mdop/appv-v4/about-virtual-environments.md
index 91448a0bbb..263e550a58 100644
--- a/mdop/appv-v4/about-virtual-environments.md
+++ b/mdop/appv-v4/about-virtual-environments.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/add-app.md b/mdop/appv-v4/add-app.md
index 56e1ff83ee..be8e8866ee 100644
--- a/mdop/appv-v4/add-app.md
+++ b/mdop/appv-v4/add-app.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/add-package.md b/mdop/appv-v4/add-package.md
index 58a1f87769..80ed132da5 100644
--- a/mdop/appv-v4/add-package.md
+++ b/mdop/appv-v4/add-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/add-server.md b/mdop/appv-v4/add-server.md
index 3db501a538..546c6c2e3a 100644
--- a/mdop/appv-v4/add-server.md
+++ b/mdop/appv-v4/add-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/add-type.md b/mdop/appv-v4/add-type.md
index 804035833e..cfcbb9e6fb 100644
--- a/mdop/appv-v4/add-type.md
+++ b/mdop/appv-v4/add-type.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/administrators-node.md b/mdop/appv-v4/administrators-node.md
index 4c36416137..633c1da358 100644
--- a/mdop/appv-v4/administrators-node.md
+++ b/mdop/appv-v4/administrators-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/administrators-results-pane-columns.md b/mdop/appv-v4/administrators-results-pane-columns.md
index 7a62f2ddf6..57de6d3cde 100644
--- a/mdop/appv-v4/administrators-results-pane-columns.md
+++ b/mdop/appv-v4/administrators-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/administrators-results-pane.md b/mdop/appv-v4/administrators-results-pane.md
index 8432b0e579..88516a4348 100644
--- a/mdop/appv-v4/administrators-results-pane.md
+++ b/mdop/appv-v4/administrators-results-pane.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md
index 055f74d65d..4eec31af83 100644
--- a/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/app-v-45-sp2-release-notes.md b/mdop/appv-v4/app-v-45-sp2-release-notes.md
index dc5d8fafe0..ab0e856ca4 100644
--- a/mdop/appv-v4/app-v-45-sp2-release-notes.md
+++ b/mdop/appv-v4/app-v-45-sp2-release-notes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
@@ -73,11 +73,11 @@ When this has been completed, install the App-V 4.5 SP2 Clients by using Setup.m
When installing Microsoft Application Error Reporting, use the following command if you are installing or upgrading to the App-V 4.5 SP2 Desktop Client:
-** msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
+**msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
Alternatively, if you are installing or upgrading to the App-V 4.5 SP2 Client for Remote Desktop Services (formerly Terminal Services), use the following command:
-** msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
+**msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
**Note**
- The APPGUID parameter references the product code of the App-V Clients that you install or upgrade. The product code is unique for each Setup.msi. You can use the Orca Database Editor or a similar tool to examine Windows Installer files and determine the product code. This step is required for all installations or upgrades to App-V 4.5 SP2.
diff --git a/mdop/appv-v4/app-v-46-release-notes.md b/mdop/appv-v4/app-v-46-release-notes.md
index efa16e1ff9..08a8ca5d64 100644
--- a/mdop/appv-v4/app-v-46-release-notes.md
+++ b/mdop/appv-v4/app-v-46-release-notes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-46-sp1-release-notes.md b/mdop/appv-v4/app-v-46-sp1-release-notes.md
index 09ea6abd40..dd7fa73a1b 100644
--- a/mdop/appv-v4/app-v-46-sp1-release-notes.md
+++ b/mdop/appv-v4/app-v-46-sp1-release-notes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-46-sp2-release-notes.md b/mdop/appv-v4/app-v-46-sp2-release-notes.md
index 9da44bdde6..227967a34a 100644
--- a/mdop/appv-v4/app-v-46-sp2-release-notes.md
+++ b/mdop/appv-v4/app-v-46-sp2-release-notes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-46-sp3-release-notes.md b/mdop/appv-v4/app-v-46-sp3-release-notes.md
index 7dc2b557c3..d62afda16b 100644
--- a/mdop/appv-v4/app-v-46-sp3-release-notes.md
+++ b/mdop/appv-v4/app-v-46-sp3-release-notes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-application-wmi-class.md b/mdop/appv-v4/app-v-application-wmi-class.md
index 7aae865573..3567a8da0e 100644
--- a/mdop/appv-v4/app-v-application-wmi-class.md
+++ b/mdop/appv-v4/app-v-application-wmi-class.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/app-v-client-registry-values-sp1.md b/mdop/appv-v4/app-v-client-registry-values-sp1.md
index 59e5ac9ae5..5edc5870e2 100644
--- a/mdop/appv-v4/app-v-client-registry-values-sp1.md
+++ b/mdop/appv-v4/app-v-client-registry-values-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-desktop-client-security.md b/mdop/appv-v4/app-v-desktop-client-security.md
index 8b1261715e..2bf8723032 100644
--- a/mdop/appv-v4/app-v-desktop-client-security.md
+++ b/mdop/appv-v4/app-v-desktop-client-security.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-installation-checklist.md b/mdop/appv-v4/app-v-installation-checklist.md
index 4b2e5c573d..68208f051d 100644
--- a/mdop/appv-v4/app-v-installation-checklist.md
+++ b/mdop/appv-v4/app-v-installation-checklist.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md b/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md
index be861b5d2c..b4fc7f6ba0 100644
--- a/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md
+++ b/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-package-wmi-class.md b/mdop/appv-v4/app-v-package-wmi-class.md
index bd91ad1751..f9efeee4ce 100644
--- a/mdop/appv-v4/app-v-package-wmi-class.md
+++ b/mdop/appv-v4/app-v-package-wmi-class.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/app-v-postinstallation-checklist.md b/mdop/appv-v4/app-v-postinstallation-checklist.md
index 87b30551fd..814811b75f 100644
--- a/mdop/appv-v4/app-v-postinstallation-checklist.md
+++ b/mdop/appv-v4/app-v-postinstallation-checklist.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/app-v-pre-installation-checklist.md b/mdop/appv-v4/app-v-pre-installation-checklist.md
index c426c83566..4de02e6032 100644
--- a/mdop/appv-v4/app-v-pre-installation-checklist.md
+++ b/mdop/appv-v4/app-v-pre-installation-checklist.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-upgrade-checklist.md b/mdop/appv-v4/app-v-upgrade-checklist.md
index fcabc76d01..942fa32de6 100644
--- a/mdop/appv-v4/app-v-upgrade-checklist.md
+++ b/mdop/appv-v4/app-v-upgrade-checklist.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/application-utilization-reportserver.md b/mdop/appv-v4/application-utilization-reportserver.md
index 29301ef748..78ed55aaad 100644
--- a/mdop/appv-v4/application-utilization-reportserver.md
+++ b/mdop/appv-v4/application-utilization-reportserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md
index fbeb7f66e6..e7bf14bd06 100644
--- a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md
+++ b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md b/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md
index 5934984a4d..2f13cd29a0 100644
--- a/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md
+++ b/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-management-console-overview.md b/mdop/appv-v4/application-virtualization-client-management-console-overview.md
index 314b2e91ef..1f514c7ba3 100644
--- a/mdop/appv-v4/application-virtualization-client-management-console-overview.md
+++ b/mdop/appv-v4/application-virtualization-client-management-console-overview.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-management-console-reference.md b/mdop/appv-v4/application-virtualization-client-management-console-reference.md
index 0d705a6dbc..e13ceabe61 100644
--- a/mdop/appv-v4/application-virtualization-client-management-console-reference.md
+++ b/mdop/appv-v4/application-virtualization-client-management-console-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md b/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md
index c00f5ef58d..a65de90286 100644
--- a/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md
+++ b/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-management-console.md b/mdop/appv-v4/application-virtualization-client-management-console.md
index 703e1fcab3..e8e5980d13 100644
--- a/mdop/appv-v4/application-virtualization-client-management-console.md
+++ b/mdop/appv-v4/application-virtualization-client-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-reference.md b/mdop/appv-v4/application-virtualization-client-reference.md
index 2363a32ee3..bc3dbef0d8 100644
--- a/mdop/appv-v4/application-virtualization-client-reference.md
+++ b/mdop/appv-v4/application-virtualization-client-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-wmi-provider.md b/mdop/appv-v4/application-virtualization-client-wmi-provider.md
index 39b1ebb2ed..dd3b3f8eae 100644
--- a/mdop/appv-v4/application-virtualization-client-wmi-provider.md
+++ b/mdop/appv-v4/application-virtualization-client-wmi-provider.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client.md b/mdop/appv-v4/application-virtualization-client.md
index 1756d814d7..819dd8bed1 100644
--- a/mdop/appv-v4/application-virtualization-client.md
+++ b/mdop/appv-v4/application-virtualization-client.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md
index ae15062828..4bd4d4fe49 100644
--- a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md
+++ b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md
index c7c5b57205..d71379b47f 100644
--- a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md
+++ b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md
index 7e6e309b9b..c09ced741d 100644
--- a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md
+++ b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-deployment-requirements.md b/mdop/appv-v4/application-virtualization-deployment-requirements.md
index 2d00a73d21..9baee67d59 100644
--- a/mdop/appv-v4/application-virtualization-deployment-requirements.md
+++ b/mdop/appv-v4/application-virtualization-deployment-requirements.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-glossary.md b/mdop/appv-v4/application-virtualization-glossary.md
index 441bff3d5d..3669509527 100644
--- a/mdop/appv-v4/application-virtualization-glossary.md
+++ b/mdop/appv-v4/application-virtualization-glossary.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md b/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md
index c459939b7c..9b480ae5f3 100644
--- a/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-file-system-tab.md b/mdop/appv-v4/application-virtualization-properties-file-system-tab.md
index 2a116d4707..fe4acb134a 100644
--- a/mdop/appv-v4/application-virtualization-properties-file-system-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-file-system-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-general-tab.md b/mdop/appv-v4/application-virtualization-properties-general-tab.md
index 31bfb94c4b..375209e344 100644
--- a/mdop/appv-v4/application-virtualization-properties-general-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-general-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md b/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md
index 87085b92cf..ada91ffa6f 100644
--- a/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-interface-tab.md b/mdop/appv-v4/application-virtualization-properties-interface-tab.md
index 558c483a39..fedbe93af5 100644
--- a/mdop/appv-v4/application-virtualization-properties-interface-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-interface-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-permissions-tab.md b/mdop/appv-v4/application-virtualization-properties-permissions-tab.md
index b80b1b8d6a..b830275c12 100644
--- a/mdop/appv-v4/application-virtualization-properties-permissions-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-permissions-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-reference.md b/mdop/appv-v4/application-virtualization-reference.md
index 974d97b6f6..11b374d4e3 100644
--- a/mdop/appv-v4/application-virtualization-reference.md
+++ b/mdop/appv-v4/application-virtualization-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-report-types.md b/mdop/appv-v4/application-virtualization-report-types.md
index 6ea5f2c5b6..3e81bdd8f6 100644
--- a/mdop/appv-v4/application-virtualization-report-types.md
+++ b/mdop/appv-v4/application-virtualization-report-types.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-command-line.md b/mdop/appv-v4/application-virtualization-sequencer-command-line.md
index a8be9c0b31..abbc660844 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-command-line.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-console-overview.md b/mdop/appv-v4/application-virtualization-sequencer-console-overview.md
index cb4b33d294..1669e0fe12 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-console-overview.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-console-overview.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md
index 22cdebc6e0..cc7fa3c205 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-online-help.md b/mdop/appv-v4/application-virtualization-sequencer-online-help.md
index ca78682274..3164dedaf1 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-online-help.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-online-help.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md
index 99a1ab2bb0..894504a132 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-overview.md b/mdop/appv-v4/application-virtualization-sequencer-overview.md
index 3c9e44e3ab..efe77f6f0e 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-overview.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-overview.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-reference.md b/mdop/appv-v4/application-virtualization-sequencer-reference.md
index e68f8bfb5c..69240cc62a 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-reference.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md b/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md
index 75d1b5f1a4..36c372bd1c 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer.md b/mdop/appv-v4/application-virtualization-sequencer.md
index 7ba4e42e1c..3f31f87b42 100644
--- a/mdop/appv-v4/application-virtualization-sequencer.md
+++ b/mdop/appv-v4/application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md
index 19fe7b1ff4..e3b9b48948 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md
index 6b96b69061..7d58727b72 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md
index a987309e5f..1a7aceec55 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md
index bea986ef57..c195624f90 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md
index fde9035b02..0fa1b9ca03 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md
index fbbb325980..995ae0facc 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md
index cab2f6fa85..8f834f6d26 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md
index 3cefd2e341..996fff81b1 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md
index e27772099e..6a9437812a 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md
index ac297b38e4..87689f417f 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
index fd47fcd34c..8a53cc64f2 100644
--- a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
+++ b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -19,7 +19,7 @@ ms.date: 06/16/2016
If you plan to use a server-based deployment scenario for your Microsoft Application Virtualization environment, it is important to understand the differences between the *Application Virtualization Management Server* and the *Application Virtualization Streaming Server*. This topic describes those differences and also provides information about package delivery methods, transmission protocols, and external components that you will need to consider as you proceed with your deployment.
-## Application Virtualization Management Server
+## Application Virtualization Management Server
The Application Virtualization Management Server performs both the publishing function and the streaming function. The server publishes application icons, shortcuts, and file type associations to the App-V clients for authorized users. When user requests for applications are received the server streams that data on-demand to authorized users using RTSP or RTSPS protocols. In most configurations using this server, one or more Management Servers share a common data store for configuration and package information.
@@ -28,7 +28,7 @@ The Application Virtualization Management Servers use Active Directory groups to
Because the Application Virtualization Management Servers stream applications to end-users on demand, these servers are ideally suited for system configurations that have reliable, high-bandwidth LANs.
-## Application Virtualization Streaming Server
+## Application Virtualization Streaming Server
The Application Virtualization Streaming Server delivers the same streaming and package upgrade capabilities provided by the Management Server, but without its Active Directory or SQL Server requirements. However, the Streaming Server does not have a publishing service, nor does it have licensing or metering capabilities. The publishing service of a separate App-V Management Server is used in conjunction with the App-V Streaming Server. The App-V Streaming Server addresses the needs of businesses that want to use Application Virtualization in multiple locations with the streaming capabilities of the classic server configuration but might not have the infrastructure to support App-V Management Servers in every location.
diff --git a/mdop/appv-v4/application-virtualization-server-based-scenario.md b/mdop/appv-v4/application-virtualization-server-based-scenario.md
index e572a24620..84336dad16 100644
--- a/mdop/appv-v4/application-virtualization-server-based-scenario.md
+++ b/mdop/appv-v4/application-virtualization-server-based-scenario.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-server-management-console-reference.md b/mdop/appv-v4/application-virtualization-server-management-console-reference.md
index 24e202d492..c36cd7f3fd 100644
--- a/mdop/appv-v4/application-virtualization-server-management-console-reference.md
+++ b/mdop/appv-v4/application-virtualization-server-management-console-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-server-management-help.md b/mdop/appv-v4/application-virtualization-server-management-help.md
index eebfea01e7..7ae7b3aab4 100644
--- a/mdop/appv-v4/application-virtualization-server-management-help.md
+++ b/mdop/appv-v4/application-virtualization-server-management-help.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-server.md b/mdop/appv-v4/application-virtualization-server.md
index 088cca81ff..db3ac34238 100644
--- a/mdop/appv-v4/application-virtualization-server.md
+++ b/mdop/appv-v4/application-virtualization-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-system-requirements.md b/mdop/appv-v4/application-virtualization-system-requirements.md
index 0688d51f04..d912bfff73 100644
--- a/mdop/appv-v4/application-virtualization-system-requirements.md
+++ b/mdop/appv-v4/application-virtualization-system-requirements.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md b/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md
index 0e6f43502d..3420240770 100644
--- a/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md
+++ b/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-licenses-node.md b/mdop/appv-v4/applications-licenses-node.md
index e41472ad97..3bc727a6b1 100644
--- a/mdop/appv-v4/applications-licenses-node.md
+++ b/mdop/appv-v4/applications-licenses-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-licenses-results-pane-columns.md b/mdop/appv-v4/applications-licenses-results-pane-columns.md
index db5a7c01f6..9fe5dbaaf8 100644
--- a/mdop/appv-v4/applications-licenses-results-pane-columns.md
+++ b/mdop/appv-v4/applications-licenses-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-licenses-results-pane.md b/mdop/appv-v4/applications-licenses-results-pane.md
index 8ef30047ea..3339644301 100644
--- a/mdop/appv-v4/applications-licenses-results-pane.md
+++ b/mdop/appv-v4/applications-licenses-results-pane.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-node-in-server-management-console.md b/mdop/appv-v4/applications-node-in-server-management-console.md
index 69d90c8bdb..0dd4066e35 100644
--- a/mdop/appv-v4/applications-node-in-server-management-console.md
+++ b/mdop/appv-v4/applications-node-in-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-node.md b/mdop/appv-v4/applications-node.md
index 872ead9d24..760ebc733a 100644
--- a/mdop/appv-v4/applications-node.md
+++ b/mdop/appv-v4/applications-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md b/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md
index f39b06792c..55a7172da2 100644
--- a/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md
+++ b/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-results-pane-columns.md b/mdop/appv-v4/applications-results-pane-columns.md
index 763e99c393..c7c7c41ec3 100644
--- a/mdop/appv-v4/applications-results-pane-columns.md
+++ b/mdop/appv-v4/applications-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-results-pane-in-server-management-console.md b/mdop/appv-v4/applications-results-pane-in-server-management-console.md
index bd376a200e..ea36979d73 100644
--- a/mdop/appv-v4/applications-results-pane-in-server-management-console.md
+++ b/mdop/appv-v4/applications-results-pane-in-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-results-pane.md b/mdop/appv-v4/applications-results-pane.md
index 22f28cbc17..ad52fe65d1 100644
--- a/mdop/appv-v4/applications-results-pane.md
+++ b/mdop/appv-v4/applications-results-pane.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md
index 98700d6626..8ac9a89ec9 100644
--- a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md
+++ b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/change-history-tab-keep.md b/mdop/appv-v4/change-history-tab-keep.md
index 4347604ec5..7de068d479 100644
--- a/mdop/appv-v4/change-history-tab-keep.md
+++ b/mdop/appv-v4/change-history-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/clear-app.md b/mdop/appv-v4/clear-app.md
index c2d2aabe62..ce8c9d4c5f 100644
--- a/mdop/appv-v4/clear-app.md
+++ b/mdop/appv-v4/clear-app.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/clear-obj.md b/mdop/appv-v4/clear-obj.md
index d3ca15bcc0..33dfd04705 100644
--- a/mdop/appv-v4/clear-obj.md
+++ b/mdop/appv-v4/clear-obj.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-about-dialog-boxes.md b/mdop/appv-v4/client-management-console-about-dialog-boxes.md
index 97a9f99b1d..67b7ff9eaa 100644
--- a/mdop/appv-v4/client-management-console-about-dialog-boxes.md
+++ b/mdop/appv-v4/client-management-console-about-dialog-boxes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-application-virtualization-node.md b/mdop/appv-v4/client-management-console-application-virtualization-node.md
index 5f7297aa42..9ea64120a9 100644
--- a/mdop/appv-v4/client-management-console-application-virtualization-node.md
+++ b/mdop/appv-v4/client-management-console-application-virtualization-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-application-virtualization-properties.md b/mdop/appv-v4/client-management-console-application-virtualization-properties.md
index 5da7bbfacd..85513a0959 100644
--- a/mdop/appv-v4/client-management-console-application-virtualization-properties.md
+++ b/mdop/appv-v4/client-management-console-application-virtualization-properties.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-applications-node.md b/mdop/appv-v4/client-management-console-applications-node.md
index 586ba675da..6661141ad2 100644
--- a/mdop/appv-v4/client-management-console-applications-node.md
+++ b/mdop/appv-v4/client-management-console-applications-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-file-type-associations-node.md b/mdop/appv-v4/client-management-console-file-type-associations-node.md
index f30e504b85..f0c5570f3c 100644
--- a/mdop/appv-v4/client-management-console-file-type-associations-node.md
+++ b/mdop/appv-v4/client-management-console-file-type-associations-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-publishing-servers-node.md b/mdop/appv-v4/client-management-console-publishing-servers-node.md
index 304a71be0d..f863e5d717 100644
--- a/mdop/appv-v4/client-management-console-publishing-servers-node.md
+++ b/mdop/appv-v4/client-management-console-publishing-servers-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/command-line-errors.md b/mdop/appv-v4/command-line-errors.md
index 4acd9ab657..3da8e0d9f9 100644
--- a/mdop/appv-v4/command-line-errors.md
+++ b/mdop/appv-v4/command-line-errors.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/command-line-parameters.md b/mdop/appv-v4/command-line-parameters.md
index b404816379..2c67aced2f 100644
--- a/mdop/appv-v4/command-line-parameters.md
+++ b/mdop/appv-v4/command-line-parameters.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/completion-page-package-accelerator.md b/mdop/appv-v4/completion-page-package-accelerator.md
index 27a3c7d86a..7542c71906 100644
--- a/mdop/appv-v4/completion-page-package-accelerator.md
+++ b/mdop/appv-v4/completion-page-package-accelerator.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/completion-page.md b/mdop/appv-v4/completion-page.md
index 185a46fbcb..c733a56d5d 100644
--- a/mdop/appv-v4/completion-page.md
+++ b/mdop/appv-v4/completion-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-app.md b/mdop/appv-v4/configure-app.md
index b79e177839..407824e6a0 100644
--- a/mdop/appv-v4/configure-app.md
+++ b/mdop/appv-v4/configure-app.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-package.md b/mdop/appv-v4/configure-package.md
index 140a076da1..2bccdbf61d 100644
--- a/mdop/appv-v4/configure-package.md
+++ b/mdop/appv-v4/configure-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-server.md b/mdop/appv-v4/configure-server.md
index 80234b1cb8..ed7f5ca4d8 100644
--- a/mdop/appv-v4/configure-server.md
+++ b/mdop/appv-v4/configure-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-software-page--learn-more-.md b/mdop/appv-v4/configure-software-page--learn-more-.md
index af0b0a1d3a..87abcb67dd 100644
--- a/mdop/appv-v4/configure-software-page--learn-more-.md
+++ b/mdop/appv-v4/configure-software-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-software-page-app-v-46-sp1.md b/mdop/appv-v4/configure-software-page-app-v-46-sp1.md
index a34c98a052..7d201afb8d 100644
--- a/mdop/appv-v4/configure-software-page-app-v-46-sp1.md
+++ b/mdop/appv-v4/configure-software-page-app-v-46-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-type.md b/mdop/appv-v4/configure-type.md
index e835038f35..42307e58cb 100644
--- a/mdop/appv-v4/configure-type.md
+++ b/mdop/appv-v4/configure-type.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md b/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md
index 13366bf24f..1fe3f100c5 100644
--- a/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md
+++ b/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/configuring-app-v-for-secure-administration.md b/mdop/appv-v4/configuring-app-v-for-secure-administration.md
index c7cba41d0a..a71fffa3c7 100644
--- a/mdop/appv-v4/configuring-app-v-for-secure-administration.md
+++ b/mdop/appv-v4/configuring-app-v-for-secure-administration.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md b/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md
index 5c2c349db4..fe8ec7d8bc 100644
--- a/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md
+++ b/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md b/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md
index 2a4167506b..86f2485e5c 100644
--- a/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md
+++ b/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md b/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md
index 5465035643..7999d55e32 100644
--- a/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md
+++ b/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/configuring-iis-for-secure-streaming.md b/mdop/appv-v4/configuring-iis-for-secure-streaming.md
index 7257a99ab0..1e5c0be5b8 100644
--- a/mdop/appv-v4/configuring-iis-for-secure-streaming.md
+++ b/mdop/appv-v4/configuring-iis-for-secure-streaming.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md b/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md
index 96a4b5539a..022b096208 100644
--- a/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md
+++ b/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md b/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md
index 1bd95ead94..92700f1f2a 100644
--- a/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md
+++ b/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md b/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md
index edc3ef0f37..f8ec256bdd 100644
--- a/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md
+++ b/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md b/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md
index d464360774..571b263abc 100644
--- a/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md b/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md
index e30320dafe..688c137ae2 100644
--- a/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md
+++ b/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-windows-firewall-for-app-v.md b/mdop/appv-v4/configuring-windows-firewall-for-app-v.md
index 73934119ca..f97d412295 100644
--- a/mdop/appv-v4/configuring-windows-firewall-for-app-v.md
+++ b/mdop/appv-v4/configuring-windows-firewall-for-app-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md b/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md
index fc96660a9f..11cb5f957c 100644
--- a/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md
+++ b/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/create-package-accelerator--review-errors--page.md b/mdop/appv-v4/create-package-accelerator--review-errors--page.md
index 8d75ae4c4d..63cdf9f7e1 100644
--- a/mdop/appv-v4/create-package-accelerator--review-errors--page.md
+++ b/mdop/appv-v4/create-package-accelerator--review-errors--page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/create-package-accelerator-page.md b/mdop/appv-v4/create-package-accelerator-page.md
index 375a138612..2d86172bf5 100644
--- a/mdop/appv-v4/create-package-accelerator-page.md
+++ b/mdop/appv-v4/create-package-accelerator-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md b/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md
index 71a197fc05..65aba0176a 100644
--- a/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md
+++ b/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/create-package-page--app-v-46-sp1.md b/mdop/appv-v4/create-package-page--app-v-46-sp1.md
index 11e4b06c98..cfd5f7b2fc 100644
--- a/mdop/appv-v4/create-package-page--app-v-46-sp1.md
+++ b/mdop/appv-v4/create-package-page--app-v-46-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/customize-page--learn-more-.md b/mdop/appv-v4/customize-page--learn-more-.md
index 6a0e3c74c1..0bed35f090 100644
--- a/mdop/appv-v4/customize-page--learn-more-.md
+++ b/mdop/appv-v4/customize-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md
index e4c834e85d..a4d6ce5126 100644
--- a/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md
index 07fbba35bd..0fc1fd41be 100644
--- a/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/delete-app.md b/mdop/appv-v4/delete-app.md
index 0e41d65f85..a5a5189fe4 100644
--- a/mdop/appv-v4/delete-app.md
+++ b/mdop/appv-v4/delete-app.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/delete-obj.md b/mdop/appv-v4/delete-obj.md
index 6b5acf34df..e0e1085ae9 100644
--- a/mdop/appv-v4/delete-obj.md
+++ b/mdop/appv-v4/delete-obj.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/delete-package.md b/mdop/appv-v4/delete-package.md
index 925e63a5c9..f89b69d461 100644
--- a/mdop/appv-v4/delete-package.md
+++ b/mdop/appv-v4/delete-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/delete-server.md b/mdop/appv-v4/delete-server.md
index 4f021d2a66..7425b0751b 100644
--- a/mdop/appv-v4/delete-server.md
+++ b/mdop/appv-v4/delete-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/delete-type.md b/mdop/appv-v4/delete-type.md
index d0a905b4ee..62cbd9b1c7 100644
--- a/mdop/appv-v4/delete-type.md
+++ b/mdop/appv-v4/delete-type.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/deployment-tab.md b/mdop/appv-v4/deployment-tab.md
index d6e1eff0b6..0b872aa0ce 100644
--- a/mdop/appv-v4/deployment-tab.md
+++ b/mdop/appv-v4/deployment-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/determine-your-publishing-method.md b/mdop/appv-v4/determine-your-publishing-method.md
index 1883661846..683549aa16 100644
--- a/mdop/appv-v4/determine-your-publishing-method.md
+++ b/mdop/appv-v4/determine-your-publishing-method.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/determine-your-streaming-method.md b/mdop/appv-v4/determine-your-streaming-method.md
index 290ebfd16b..eac83fa0c2 100644
--- a/mdop/appv-v4/determine-your-streaming-method.md
+++ b/mdop/appv-v4/determine-your-streaming-method.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md b/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md
index 9ff9753e82..a61b7c716f 100644
--- a/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md
+++ b/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/disconnected-operation-mode.md b/mdop/appv-v4/disconnected-operation-mode.md
index dd0d4d4240..b123b249f9 100644
--- a/mdop/appv-v4/disconnected-operation-mode.md
+++ b/mdop/appv-v4/disconnected-operation-mode.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md b/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md
index d0ea1928a7..7abf4bd3a7 100644
--- a/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md
+++ b/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/edit-shortcuts-learn-more.md b/mdop/appv-v4/edit-shortcuts-learn-more.md
index ace37c7243..830abacbd3 100644
--- a/mdop/appv-v4/edit-shortcuts-learn-more.md
+++ b/mdop/appv-v4/edit-shortcuts-learn-more.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
index 51c635b149..6173dbdd7a 100644
--- a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
+++ b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/electronic-software-distribution-based-scenario.md b/mdop/appv-v4/electronic-software-distribution-based-scenario.md
index 2c8df5d6cd..d99c4ce90f 100644
--- a/mdop/appv-v4/electronic-software-distribution-based-scenario.md
+++ b/mdop/appv-v4/electronic-software-distribution-based-scenario.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/exclusion-item-dialog-box.md b/mdop/appv-v4/exclusion-item-dialog-box.md
index 3038ca2a54..250a430862 100644
--- a/mdop/appv-v4/exclusion-item-dialog-box.md
+++ b/mdop/appv-v4/exclusion-item-dialog-box.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/exclusion-items-tab-keep.md b/mdop/appv-v4/exclusion-items-tab-keep.md
index 03cef6b8c2..e4dcff97c2 100644
--- a/mdop/appv-v4/exclusion-items-tab-keep.md
+++ b/mdop/appv-v4/exclusion-items-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md
index 5e81d25347..a08aea1e5d 100644
--- a/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-association-results-pane-columns.md b/mdop/appv-v4/file-type-association-results-pane-columns.md
index 553b985e35..1cdc78f1cc 100644
--- a/mdop/appv-v4/file-type-association-results-pane-columns.md
+++ b/mdop/appv-v4/file-type-association-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-association-results-pane.md b/mdop/appv-v4/file-type-association-results-pane.md
index c390505e3b..3b6a32eb71 100644
--- a/mdop/appv-v4/file-type-association-results-pane.md
+++ b/mdop/appv-v4/file-type-association-results-pane.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-associations-node-client.md b/mdop/appv-v4/file-type-associations-node-client.md
index eb1add60af..4182a0dbbf 100644
--- a/mdop/appv-v4/file-type-associations-node-client.md
+++ b/mdop/appv-v4/file-type-associations-node-client.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-associations-node.md b/mdop/appv-v4/file-type-associations-node.md
index a3c15d61a1..f739cf0208 100644
--- a/mdop/appv-v4/file-type-associations-node.md
+++ b/mdop/appv-v4/file-type-associations-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-associations-results-pane-columns.md b/mdop/appv-v4/file-type-associations-results-pane-columns.md
index 328719b89c..1458316d50 100644
--- a/mdop/appv-v4/file-type-associations-results-pane-columns.md
+++ b/mdop/appv-v4/file-type-associations-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-associations-results-pane.md b/mdop/appv-v4/file-type-associations-results-pane.md
index b92248b3ce..b1f2badd96 100644
--- a/mdop/appv-v4/file-type-associations-results-pane.md
+++ b/mdop/appv-v4/file-type-associations-results-pane.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md
index 3d67e35b05..c994c8d5e0 100644
--- a/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/files-tab-keep.md b/mdop/appv-v4/files-tab-keep.md
index 3c616264a1..aaeebd7805 100644
--- a/mdop/appv-v4/files-tab-keep.md
+++ b/mdop/appv-v4/files-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/gathering-information-page--learn-more-.md b/mdop/appv-v4/gathering-information-page--learn-more-.md
index c6c6f38d8a..2fb6c6cc6f 100644
--- a/mdop/appv-v4/gathering-information-page--learn-more-.md
+++ b/mdop/appv-v4/gathering-information-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/general-tab-keep.md b/mdop/appv-v4/general-tab-keep.md
index 4df61af9be..58ae9340d1 100644
--- a/mdop/appv-v4/general-tab-keep.md
+++ b/mdop/appv-v4/general-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/guidance-page-app-v-46-sp1.md b/mdop/appv-v4/guidance-page-app-v-46-sp1.md
index 879ece17d3..6af524a1e1 100644
--- a/mdop/appv-v4/guidance-page-app-v-46-sp1.md
+++ b/mdop/appv-v4/guidance-page-app-v-46-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/help.md b/mdop/appv-v4/help.md
index 287e3fa741..1b14a81bf2 100644
--- a/mdop/appv-v4/help.md
+++ b/mdop/appv-v4/help.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-a-file-type-association.md b/mdop/appv-v4/how-to-add-a-file-type-association.md
index 046d2f8f0d..bd5e1a7cb5 100644
--- a/mdop/appv-v4/how-to-add-a-file-type-association.md
+++ b/mdop/appv-v4/how-to-add-a-file-type-association.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md b/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md
index 8f7b5ed7f5..6b9c002b72 100644
--- a/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-a-package-version.md b/mdop/appv-v4/how-to-add-a-package-version.md
index b2aba5778b..6a4b7c4372 100644
--- a/mdop/appv-v4/how-to-add-a-package-version.md
+++ b/mdop/appv-v4/how-to-add-a-package-version.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-a-package.md b/mdop/appv-v4/how-to-add-a-package.md
index 4e55ae9e08..b9f409c2cb 100644
--- a/mdop/appv-v4/how-to-add-a-package.md
+++ b/mdop/appv-v4/how-to-add-a-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-a-server.md b/mdop/appv-v4/how-to-add-a-server.md
index 4649e67c3f..0fb467e68f 100644
--- a/mdop/appv-v4/how-to-add-a-server.md
+++ b/mdop/appv-v4/how-to-add-a-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-an-administrator-group.md b/mdop/appv-v4/how-to-add-an-administrator-group.md
index 193e0366bd..27067fbc52 100644
--- a/mdop/appv-v4/how-to-add-an-administrator-group.md
+++ b/mdop/appv-v4/how-to-add-an-administrator-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-an-application.md b/mdop/appv-v4/how-to-add-an-application.md
index 71dbe1c7f8..760c7f8540 100644
--- a/mdop/appv-v4/how-to-add-an-application.md
+++ b/mdop/appv-v4/how-to-add-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md b/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md
index c1ecf63c7e..2616fee08d 100644
--- a/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md b/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md
index 4ac9accd65..ca8c706037 100644
--- a/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md
index ae25bdef3b..f24d17b75f 100644
--- a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md
+++ b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md
index 2d0a95bbfd..9e1d52e3fc 100644
--- a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md
+++ b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md b/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md
index ffb07d7155..84d62ca579 100644
--- a/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md
+++ b/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-branch-a-package.md b/mdop/appv-v4/how-to-branch-a-package.md
index 52221d9dd2..9b2ab8c069 100644
--- a/mdop/appv-v4/how-to-branch-a-package.md
+++ b/mdop/appv-v4/how-to-branch-a-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md b/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md
index d5b2380a20..32dfc28858 100644
--- a/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md
+++ b/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-an-application-icon.md b/mdop/appv-v4/how-to-change-an-application-icon.md
index 1f2881c4f8..9e9dbf95b0 100644
--- a/mdop/appv-v4/how-to-change-an-application-icon.md
+++ b/mdop/appv-v4/how-to-change-an-application-icon.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-an-application-iconserver.md b/mdop/appv-v4/how-to-change-an-application-iconserver.md
index 7f85c76a15..19445774d2 100644
--- a/mdop/appv-v4/how-to-change-an-application-iconserver.md
+++ b/mdop/appv-v4/how-to-change-an-application-iconserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-deployment-properties.md b/mdop/appv-v4/how-to-change-deployment-properties.md
index 66c8d2fd96..f9eb0b5d3f 100644
--- a/mdop/appv-v4/how-to-change-deployment-properties.md
+++ b/mdop/appv-v4/how-to-change-deployment-properties.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-import-search-paths.md b/mdop/appv-v4/how-to-change-import-search-paths.md
index 928852dfa1..fef1c273d9 100644
--- a/mdop/appv-v4/how-to-change-import-search-paths.md
+++ b/mdop/appv-v4/how-to-change-import-search-paths.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-package-properties.md b/mdop/appv-v4/how-to-change-package-properties.md
index abe69abeb3..565e4c27e9 100644
--- a/mdop/appv-v4/how-to-change-package-properties.md
+++ b/mdop/appv-v4/how-to-change-package-properties.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md b/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md
index 8346a0eb10..0aed8a88e3 100644
--- a/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md
+++ b/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md b/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md
index c981b9ffd1..4c3247ee57 100644
--- a/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md
+++ b/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-server-cache-size.md b/mdop/appv-v4/how-to-change-the-server-cache-size.md
index 198ee9a625..5b61e12a03 100644
--- a/mdop/appv-v4/how-to-change-the-server-cache-size.md
+++ b/mdop/appv-v4/how-to-change-the-server-cache-size.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md b/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md
index 8bfcb4dcb4..baeeef43e1 100644
--- a/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md
+++ b/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-server-port.md b/mdop/appv-v4/how-to-change-the-server-port.md
index 3a807f2d68..14d1933fb9 100644
--- a/mdop/appv-v4/how-to-change-the-server-port.md
+++ b/mdop/appv-v4/how-to-change-the-server-port.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md b/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md
index 7fe070657a..db72c07843 100644
--- a/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md
+++ b/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-user-access-permissions.md b/mdop/appv-v4/how-to-change-user-access-permissions.md
index ef7947df2b..e935af3cad 100644
--- a/mdop/appv-v4/how-to-change-user-access-permissions.md
+++ b/mdop/appv-v4/how-to-change-user-access-permissions.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-clear-an-application.md b/mdop/appv-v4/how-to-clear-an-application.md
index c738ca904d..2fba3e47a3 100644
--- a/mdop/appv-v4/how-to-clear-an-application.md
+++ b/mdop/appv-v4/how-to-clear-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md
index 801b2d13bc..0a694a6795 100644
--- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md
+++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
@@ -156,7 +156,7 @@ Instead of changing the AppFS key FILENAME value every time that a new cache fil
3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled.
- ** fsutil behavior set SymlinkEvaluation R2R:1**
+ **fsutil behavior set SymlinkEvaluation R2R:1**
**Note**
On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**.
diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md
index 2ee211e811..8fd997eafd 100644
--- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md
+++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
@@ -167,7 +167,7 @@ Instead of modifying the AppFS key FILENAME value every time that a new cache fi
3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled.
- ** fsutil behavior set SymlinkEvaluation R2R:1**
+ **fsutil behavior set SymlinkEvaluation R2R:1**
**Note**
On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**.
diff --git a/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md b/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md
index ec3efe7a1a..c14a8c48a6 100644
--- a/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md
+++ b/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md b/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md
index 978aefac2f..2b4a53819a 100644
--- a/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md
+++ b/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md b/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md
index 4f60659a53..1c79254fd6 100644
--- a/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md
+++ b/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md b/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md
index 9fb56f0792..5a4d8e1932 100644
--- a/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md
+++ b/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md b/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md
index 7f8b6db82f..c668b902eb 100644
--- a/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md
+++ b/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md b/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md
index 05d2bc0b77..afe7d0a2da 100644
--- a/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md
+++ b/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md b/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md
index 150d93d6c9..03e3ac7409 100644
--- a/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md b/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md
index 023d8ba9ba..615d3a60b6 100644
--- a/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md
+++ b/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md b/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md
index 1b477e3c0e..85ccb5fd59 100644
--- a/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md
+++ b/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md b/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md
index 9dc834b4ad..5dab5d7b35 100644
--- a/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md
+++ b/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md b/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md
index bd27ed1708..8225fe37da 100644
--- a/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md
+++ b/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md b/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md
index 9f63f76ebb..8671c8e401 100644
--- a/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md
+++ b/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md b/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md
index 54a3e12931..04f4c05542 100644
--- a/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md
+++ b/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md b/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md
index 08fb9b8dfb..fe5c5331d3 100644
--- a/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md
+++ b/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md b/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md
index ec298ac0dd..ee1c92f759 100644
--- a/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md
+++ b/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md b/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md
index 2dcd0fc57b..951cbbb2d7 100644
--- a/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md
+++ b/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-client-log-file.md b/mdop/appv-v4/how-to-configure-the-client-log-file.md
index 20b326dfa4..e4a46cd129 100644
--- a/mdop/appv-v4/how-to-configure-the-client-log-file.md
+++ b/mdop/appv-v4/how-to-configure-the-client-log-file.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-file-server.md b/mdop/appv-v4/how-to-configure-the-file-server.md
index 812c78cb2c..c9d01b4dba 100644
--- a/mdop/appv-v4/how-to-configure-the-file-server.md
+++ b/mdop/appv-v4/how-to-configure-the-file-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-server-for-iis.md b/mdop/appv-v4/how-to-configure-the-server-for-iis.md
index 76119811be..4290cc9bf5 100644
--- a/mdop/appv-v4/how-to-configure-the-server-for-iis.md
+++ b/mdop/appv-v4/how-to-configure-the-server-for-iis.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md b/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md
index 04e4ec6328..fec2c858fe 100644
--- a/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md
+++ b/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-user-permissions.md b/mdop/appv-v4/how-to-configure-user-permissions.md
index 31a1894e7b..88e1049577 100644
--- a/mdop/appv-v4/how-to-configure-user-permissions.md
+++ b/mdop/appv-v4/how-to-configure-user-permissions.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md b/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md
index 59c1e3b44c..3ec2889648 100644
--- a/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md
+++ b/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md b/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md
index 7578063d2b..7e516a89fd 100644
--- a/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md
+++ b/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md b/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md
index 9321f73949..8368dd56f8 100644
--- a/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md
+++ b/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md b/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md
index 097bf0d4b7..169761167e 100644
--- a/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md
+++ b/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-create-a-reportserver.md b/mdop/appv-v4/how-to-create-a-reportserver.md
index 134036f18f..abdfd7298e 100644
--- a/mdop/appv-v4/how-to-create-a-reportserver.md
+++ b/mdop/appv-v4/how-to-create-a-reportserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-a-server-group.md b/mdop/appv-v4/how-to-create-a-server-group.md
index fa407f994a..bc12c0bd0a 100644
--- a/mdop/appv-v4/how-to-create-a-server-group.md
+++ b/mdop/appv-v4/how-to-create-a-server-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md b/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md
index 249ed7b0e1..23e2b3570b 100644
--- a/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md
+++ b/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md b/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md
index 55143333bd..26aae4b1ea 100644
--- a/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-an-application-group.md b/mdop/appv-v4/how-to-create-an-application-group.md
index 4144e95e2f..ac2fba82be 100644
--- a/mdop/appv-v4/how-to-create-an-application-group.md
+++ b/mdop/appv-v4/how-to-create-an-application-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-an-application-license-group.md b/mdop/appv-v4/how-to-create-an-application-license-group.md
index e1c6567c65..76da2668b9 100644
--- a/mdop/appv-v4/how-to-create-an-application-license-group.md
+++ b/mdop/appv-v4/how-to-create-an-application-license-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md b/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md
index 522662b28d..bf6769fb47 100644
--- a/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md b/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md
index c169abd147..c4db220dcf 100644
--- a/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md
+++ b/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-the-package-root-directory.md b/mdop/appv-v4/how-to-create-the-package-root-directory.md
index 01ba72181f..8e00793ee2 100644
--- a/mdop/appv-v4/how-to-create-the-package-root-directory.md
+++ b/mdop/appv-v4/how-to-create-the-package-root-directory.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md b/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md
index 6b2e6bc05c..b745ddf86a 100644
--- a/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md
+++ b/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md b/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md
index 49f4a3afc7..f1e04f6d1e 100644
--- a/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-a-file-type-association.md b/mdop/appv-v4/how-to-delete-a-file-type-association.md
index 8f12921951..16c96b8513 100644
--- a/mdop/appv-v4/how-to-delete-a-file-type-association.md
+++ b/mdop/appv-v4/how-to-delete-a-file-type-association.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-a-package-version.md b/mdop/appv-v4/how-to-delete-a-package-version.md
index 62137f64ca..c1d92e1264 100644
--- a/mdop/appv-v4/how-to-delete-a-package-version.md
+++ b/mdop/appv-v4/how-to-delete-a-package-version.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-a-packageserver.md b/mdop/appv-v4/how-to-delete-a-packageserver.md
index c63d2eaf35..7f2bd13bae 100644
--- a/mdop/appv-v4/how-to-delete-a-packageserver.md
+++ b/mdop/appv-v4/how-to-delete-a-packageserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-a-reportserver.md b/mdop/appv-v4/how-to-delete-a-reportserver.md
index 2b8a517f7c..14ac327bbf 100644
--- a/mdop/appv-v4/how-to-delete-a-reportserver.md
+++ b/mdop/appv-v4/how-to-delete-a-reportserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md b/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md
index 21e583e5b2..1fdb2c31c6 100644
--- a/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-an-administrator-group.md b/mdop/appv-v4/how-to-delete-an-administrator-group.md
index c825492416..d538220e01 100644
--- a/mdop/appv-v4/how-to-delete-an-administrator-group.md
+++ b/mdop/appv-v4/how-to-delete-an-administrator-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-an-application-server.md b/mdop/appv-v4/how-to-delete-an-application-server.md
index 247163a1de..55f77b412f 100644
--- a/mdop/appv-v4/how-to-delete-an-application-server.md
+++ b/mdop/appv-v4/how-to-delete-an-application-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-an-application.md b/mdop/appv-v4/how-to-delete-an-application.md
index 4ac8548398..c1e441347c 100644
--- a/mdop/appv-v4/how-to-delete-an-application.md
+++ b/mdop/appv-v4/how-to-delete-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-deny-access-to-an-application.md b/mdop/appv-v4/how-to-deny-access-to-an-application.md
index e1a9045654..1dd6b7fdf5 100644
--- a/mdop/appv-v4/how-to-deny-access-to-an-application.md
+++ b/mdop/appv-v4/how-to-deny-access-to-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md b/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md
index 2c88ccb0f0..6fda63581a 100644
--- a/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md
+++ b/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md b/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md
index 140d19db20..5394ec7bb3 100644
--- a/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md b/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md
index 07a83858b4..fc1d34c067 100644
--- a/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md
+++ b/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md b/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md
index b92d34564c..822fe72dd9 100644
--- a/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md
+++ b/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md b/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md
index 6930a3459d..41b7631eb1 100644
--- a/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md
+++ b/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-edit-an-osd-file.md b/mdop/appv-v4/how-to-edit-an-osd-file.md
index e150953185..6f19e9a7b7 100644
--- a/mdop/appv-v4/how-to-edit-an-osd-file.md
+++ b/mdop/appv-v4/how-to-edit-an-osd-file.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md b/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md
index 25d48601e0..480c2d8d34 100644
--- a/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md
+++ b/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-export-a-reportserver.md b/mdop/appv-v4/how-to-export-a-reportserver.md
index 6580474502..f7eb70e1aa 100644
--- a/mdop/appv-v4/how-to-export-a-reportserver.md
+++ b/mdop/appv-v4/how-to-export-a-reportserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-grant-access-to-an-application.md b/mdop/appv-v4/how-to-grant-access-to-an-application.md
index 697afb607b..89a6cf8277 100644
--- a/mdop/appv-v4/how-to-grant-access-to-an-application.md
+++ b/mdop/appv-v4/how-to-grant-access-to-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-import-an-application.md b/mdop/appv-v4/how-to-import-an-application.md
index ecaec1c2de..2fc950a033 100644
--- a/mdop/appv-v4/how-to-import-an-application.md
+++ b/mdop/appv-v4/how-to-import-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-import-an-applicationserver.md b/mdop/appv-v4/how-to-import-an-applicationserver.md
index 24b4bce0dd..66852c68c1 100644
--- a/mdop/appv-v4/how-to-import-an-applicationserver.md
+++ b/mdop/appv-v4/how-to-import-an-applicationserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-a-database.md b/mdop/appv-v4/how-to-install-a-database.md
index 884793e4a7..da440a18ff 100644
--- a/mdop/appv-v4/how-to-install-a-database.md
+++ b/mdop/appv-v4/how-to-install-a-database.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md b/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md
index 83e7e4b7d1..ba2ed5bf33 100644
--- a/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md
+++ b/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-and-configure-the-default-application.md b/mdop/appv-v4/how-to-install-and-configure-the-default-application.md
index c5bb0dbe54..529a24aadc 100644
--- a/mdop/appv-v4/how-to-install-and-configure-the-default-application.md
+++ b/mdop/appv-v4/how-to-install-and-configure-the-default-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-application-virtualization-management-server.md b/mdop/appv-v4/how-to-install-application-virtualization-management-server.md
index 0dd33e3482..9fff92bc25 100644
--- a/mdop/appv-v4/how-to-install-application-virtualization-management-server.md
+++ b/mdop/appv-v4/how-to-install-application-virtualization-management-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md
index e2f80c72dd..37596836cd 100644
--- a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md
+++ b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md
index f5b25c5517..5485cfe6f6 100644
--- a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md
+++ b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md b/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md
index d9c4fb364b..5cf9e908d7 100644
--- a/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md b/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md
index 0cd8731539..b6facad249 100644
--- a/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md
+++ b/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md b/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md
index ab7c6ff130..69e3331059 100644
--- a/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md
+++ b/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-management-console.md b/mdop/appv-v4/how-to-install-the-management-console.md
index 1f584040a8..df74e0f969 100644
--- a/mdop/appv-v4/how-to-install-the-management-console.md
+++ b/mdop/appv-v4/how-to-install-the-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-management-web-service.md b/mdop/appv-v4/how-to-install-the-management-web-service.md
index 66cdda0365..72f0d59456 100644
--- a/mdop/appv-v4/how-to-install-the-management-web-service.md
+++ b/mdop/appv-v4/how-to-install-the-management-web-service.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md b/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md
index ce132d4f49..ea900036a2 100644
--- a/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-sequencer.md b/mdop/appv-v4/how-to-install-the-sequencer.md
index 411a6c5b05..decce9699a 100644
--- a/mdop/appv-v4/how-to-install-the-sequencer.md
+++ b/mdop/appv-v4/how-to-install-the-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-servers-and-system-components.md b/mdop/appv-v4/how-to-install-the-servers-and-system-components.md
index a5fa8f0893..d8d537d0e8 100644
--- a/mdop/appv-v4/how-to-install-the-servers-and-system-components.md
+++ b/mdop/appv-v4/how-to-install-the-servers-and-system-components.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-load-files-and-packages.md b/mdop/appv-v4/how-to-load-files-and-packages.md
index 21dc909c70..f70cbf6dc3 100644
--- a/mdop/appv-v4/how-to-load-files-and-packages.md
+++ b/mdop/appv-v4/how-to-load-files-and-packages.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-load-or-unload-an-application.md b/mdop/appv-v4/how-to-load-or-unload-an-application.md
index 94fce4808b..5dd97091a1 100644
--- a/mdop/appv-v4/how-to-load-or-unload-an-application.md
+++ b/mdop/appv-v4/how-to-load-or-unload-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md b/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md
index 6443110c20..c089ce97ab 100644
--- a/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md
+++ b/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-lock-or-unlock-an-application.md b/mdop/appv-v4/how-to-lock-or-unlock-an-application.md
index 8913276ecd..1b2b033d69 100644
--- a/mdop/appv-v4/how-to-lock-or-unlock-an-application.md
+++ b/mdop/appv-v4/how-to-lock-or-unlock-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md
index 67680da087..a48df6078f 100644
--- a/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md
index 279a9aaa89..89c0f06825 100644
--- a/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md b/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md
index 5c28780e12..caa426f56a 100644
--- a/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md
+++ b/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md
index 636e572699..bfae14c37b 100644
--- a/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md
index 59097cac45..920445161f 100644
--- a/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md
index a8f2d9bbe5..cfd2debb42 100644
--- a/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md
index 2717afbee8..9287af4caa 100644
--- a/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md b/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md
index 1f9c00705d..b3050789b3 100644
--- a/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md
+++ b/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md b/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md
index 3002ee21c9..c88c2c0a2e 100644
--- a/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-virtual-applications-manually.md b/mdop/appv-v4/how-to-manage-virtual-applications-manually.md
index 9b3d5d2637..1e5aa136e6 100644
--- a/mdop/appv-v4/how-to-manage-virtual-applications-manually.md
+++ b/mdop/appv-v4/how-to-manage-virtual-applications-manually.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md b/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md
index 4048f3c6ba..49b1512034 100644
--- a/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manually-add-an-application.md b/mdop/appv-v4/how-to-manually-add-an-application.md
index 965954b973..b503780e0d 100644
--- a/mdop/appv-v4/how-to-manually-add-an-application.md
+++ b/mdop/appv-v4/how-to-manually-add-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md b/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md
index 014d912472..3df7f2a0ee 100644
--- a/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md
+++ b/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md
@@ -9,56 +9,46 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
-
# How to Manually Install the Application Virtualization Client
-
There are two types of Application Virtualization Client components: the Application Virtualization Desktop Client, which is designed for installation on desktop computers, and the Application Virtualization Client for Remote Desktop Services (formerly Terminal Services), which you can install on Remote Desktop Session Host (RD Session Host) servers . Although the two client installer programs are different, you can use the following procedure to manually install either the Application Virtualization Desktop Client on a single desktop computer or the Application Virtualization Client for Remote Desktop Services on a single RD Session Host server. In a production environment, you most likely will install the Application Virtualization Desktop Client on multiple desktop computers with an automated scripted installation process. For information about how to install multiple clients by using a scripted installation process, see [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md).
**Note**
-1. If you are installing the Application Virtualization Client for Remote Desktop Services software on a RD Session Host server, advise users who have an open RDP or ICA client session with the RD Session Host server that they must save their work and close their sessions. In a Remote Desktop session, you can install the client the client manually. For more information about upgrading the client, see [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md).
-
-2. If you have any configuration on the user’s computer that depends on the client install path, note that the Application Virtualization (App-V) 4.5 client uses a different install folder than previous versions. By default, a new install of the Application Virtualization (App-V) 4.5 client will install to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, installing the App-V client will perform an upgrade into the existing installation folder.
-
+1. If you are installing the Application Virtualization Client for Remote Desktop Services software on a RD Session Host server, advise users who have an open RDP or ICA client session with the RD Session Host server that they must save their work and close their sessions. In a Remote Desktop session, you can install the client the client manually. For more information about upgrading the client, see [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md).
+2. If you have any configuration on the user’s computer that depends on the client install path, note that the Application Virtualization (App-V) 4.5 client uses a different install folder than previous versions. By default, a new install of the Application Virtualization (App-V) 4.5 client will install to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, installing the App-V client will perform an upgrade into the existing installation folder.
**Note**
For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL is installed in the Windows\\system32 directory. If the App-V client is installed on a 64-bit system, SFTLDR\_WOW64.DLL is installed in the Windows\\SysWOW64 directory.
-
-
**To manually install Application Virtualization Desktop Client**
-1. After you have obtained the correct installer archive file and saved it to your computer, make sure you are logged on with an account having administrator rights on the computer and double-click the file to expand the archive.
+1. After you have obtained the correct installer archive file and saved it to your computer, make sure you are logged on with an account having administrator rights on the computer and double-click the file to expand the archive.
-2. Choose the folder in which to save the files, and then open the folder after the files have been copied to it.
+2. Choose the folder in which to save the files, and then open the folder after the files have been copied to it.
-3. Review the Release Notes if appropriate.
+3. Review the Release Notes if appropriate.
-4. Browse to find the setup.exe file, and double-click setup.exe to start the installation.
+4. Browse to find the setup.exe file, and double-click setup.exe to start the installation.
-5. The wizard checks the system to ensure that all prerequisite software is installed, and if any of the following are missing, the wizard will automatically prompt you to install them:
+5. The wizard checks the system to ensure that all prerequisite software is installed, and if any of the following are missing, the wizard will automatically prompt you to install them:
- - Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)
+ - Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)
- - Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)
+ - Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)
- - Microsoft Application Error Reporting
+ - Microsoft Application Error Reporting
**Note**
For App-V version 4.6 and later, the wizard will also install Microsoft Visual C++ 2008 SP1 Redistributable Package (x86).
- For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see (https://go.microsoft.com/fwlink/?LinkId=150700).
+ For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [https://go.microsoft.com/fwlink/?LinkId=150700](https://go.microsoft.com/fwlink/?LinkId=150700).
-
-
-~~~
-If prompted, click **Install**. Installation progress is displayed, and the status changes from **Pending** to **Installing**. Installation status changes to **Succeeded** as each step is completed successfully.
-~~~
+ If prompted, click **Install**. Installation progress is displayed, and the status changes from **Pending** to **Installing**. Installation status changes to **Succeeded** as each step is completed successfully.
6. When the **Microsoft Application Virtualization Desktop Client – InstallShield Wizard** is displayed, click **Next**.
@@ -76,88 +66,66 @@ If prompted, click **Install**. Installation progress is displayed, and the stat
12. On the **Application Virtualization Data Location** screen, click **Next** to accept the default data locations or complete the following actions to change where the data is stored:
- 1. Click **Change**, and then browse to or, in the **Global Data Location** field, enter the destination folder for the global data location, and click **OK**. The Global Data Directory is where the Application Virtualization Desktop Client caches data shared by all users on the computer, like OSD files and SFT file data.
+ 1. Click **Change**, and then browse to or, in the **Global Data Location** field, enter the destination folder for the global data location, and click **OK**. The Global Data Directory is where the Application Virtualization Desktop Client caches data shared by all users on the computer, like OSD files and SFT file data.
- 2. If you want to change the drive letter to be used, select the preferred drive letter from the drop-down list.
+ 2. If you want to change the drive letter to be used, select the preferred drive letter from the drop-down list.
- 3. Enter a new path to store the user-specific data in the **User-specific Data Location** field if you want to change the data location. The User Data Directory is where the Application Virtualization Desktop Client stores user-specific information, like personal settings for virtualized applications.
+ 3. Enter a new path to store the user-specific data in the **User-specific Data Location** field if you want to change the data location. The User Data Directory is where the Application Virtualization Desktop Client stores user-specific information, like personal settings for virtualized applications.
**Note**
This path must be different for every user, so it should include a user-specific environment variable or a mapped drive or something else that will resolve to a unique path for each user.
-
-
- 4. When you have finished making the changes, click **Next**.
+ 4. When you have finished making the changes, click **Next**.
13. On the **Cache Size Settings** screen, you can accept or change the default cache size. Click one of the following radio buttons to choose how to manage the cache space:
- 1. **Use maximum cache size**. Enter a numeric value from 100–1,048,576 (1 TB) in the **Maximum size (MB)** field to specify the maximum size of the cache.
+ 1. **Use maximum cache size**. Enter a numeric value from 100–1,048,576 (1 TB) in the **Maximum size (MB)** field to specify the maximum size of the cache.
- 2. **Use free disk space threshold**. Enter a numeric value to specify the amount of free disk space, in MB, that the Application Virtualization Client must leave available on the disk. This allows the cache to grow until the amount of free disk space reaches this limit. The value shown in **Free disk space remaining** indicates how much disk space is currently unused.
+ 2. **Use free disk space threshold**. Enter a numeric value to specify the amount of free disk space, in MB, that the Application Virtualization Client must leave available on the disk. This allows the cache to grow until the amount of free disk space reaches this limit. The value shown in **Free disk space remaining** indicates how much disk space is currently unused.
- **Important**
- To ensure that the cache has sufficient space allocated for all packages that might be deployed, use the **Use free disk space threshold** setting when you configure the client so that the cache can grow as needed. Alternatively, determine in advance how much disk space will be needed for the App-V cache, and at installation time, set the cache size accordingly. For more information about the cache space management feature, in the Microsoft Application Virtualization (App-V) Operations Guide, see **How to Use the Cache Space Management Feature**.
+ **Important**
+ To ensure that the cache has sufficient space allocated for all packages that might be deployed, use the **Use free disk space threshold** setting when you configure the client so that the cache can grow as needed. Alternatively, determine in advance how much disk space will be needed for the App-V cache, and at installation time, set the cache size accordingly. For more information about the cache space management feature, in the Microsoft Application Virtualization (App-V) Operations Guide, see **How to Use the Cache Space Management Feature**.
-
-
-~~~
-Click **Next** to continue.
-~~~
+ Click **Next** to continue.
14. In the following sections of the **Runtime Package Policy Configuration** screen, you can change the parameters that affect how the Application Virtualization client behaves during runtime:
- 1. **Application Source Root**. Specifies the location of SFT files. If used, overrides the protocol, server, and port portions of the CODEBASE HREF URL in the OSD file.
+ 1. **Application Source Root**. Specifies the location of SFT files. If used, overrides the protocol, server, and port portions of the CODEBASE HREF URL in the OSD file.
- 2. **Application Authorization**. When **Require User authorization even when cached** is checked, users are required to connect to a server and validate their credentials at least once before they are allowed to start each virtual application.
+ 2. **Application Authorization**. When **Require User authorization even when cached** is checked, users are required to connect to a server and validate their credentials at least once before they are allowed to start each virtual application.
- 3. **Allow streaming from file**. Indicates whether streaming from file will be enabled, regardless of how the **Application Source Root** field is used. If not checked, streaming from files is disabled. This must be checked if **Application Source Root** contains a UNC path in the form \\\\server\\share.
+ 3. **Allow streaming from file**. Indicates whether streaming from file will be enabled, regardless of how the **Application Source Root** field is used. If not checked, streaming from files is disabled. This must be checked if **Application Source Root** contains a UNC path in the form \\\\server\\share.
- 4. **Automatically Load Application**. Controls when and how automatic background loading of applications occurs.
+ 4. **Automatically Load Application**. Controls when and how automatic background loading of applications occurs.
**Note**
When you install the App-V client to use with a read-only cache, for example, with a VDI server implementation, set **What applications to Auto Load** to **Do not automatically load applications** to prevent the client from trying to update applications in the read-only cache.
-
-
-~~~
-Click **Next** to continue.
-~~~
+ Click **Next** to continue.
15. On the **Publishing Server** screen, select the **Set up a Publishing Server now** check box if you want to define a publishing server, or click **Next** if you want to complete this later. To define a publishing server, specify the following information:
- 1. **Display Name**—Enter the name you want to display for the server.
+ 1. **Display Name**—Enter the name you want to display for the server.
- 2. **Type**—Select the server type from the drop-down list of server types.
+ 2. **Type**—Select the server type from the drop-down list of server types.
- 3. **Host Name** and **Port**—Enter the host name and the port in the corresponding fields. When you select a server type in the drop-down list, the port field will automatically fill with the standard port numbers. To change a port number, click the server type in the list and change the port number according to your needs.
+ 3. **Host Name** and **Port**—Enter the host name and the port in the corresponding fields. When you select a server type in the drop-down list, the port field will automatically fill with the standard port numbers. To change a port number, click the server type in the list and change the port number according to your needs.
- 4. **Path**—If you have selected either **Standard HTTP Server** or **Enhanced Security HTTP Server**, you must enter the complete path to the XML file containing publishing data in this field. If you select either **Application Virtualization Server** or **Enhanced Security Application Virtualization Server**, this field is not active.
+ 4. **Path**—If you have selected either **Standard HTTP Server** or **Enhanced Security HTTP Server**, you must enter the complete path to the XML file containing publishing data in this field. If you select either **Application Virtualization Server** or **Enhanced Security Application Virtualization Server**, this field is not active.
- 5. **Automatically contact this server to update settings when a user logs in**—Select this check box if you want this server to be queried automatically when users log in to their account on the Application Virtualization Client.
+ 5. **Automatically contact this server to update settings when a user logs in**—Select this check box if you want this server to be queried automatically when users log in to their account on the Application Virtualization Client.
- 6. When finished with the configuration steps, click **Next**.
+ 6. When finished with the configuration steps, click **Next**.
16. On the **Ready to Install the Program** screen, click **Install**. A screen is displayed that shows the progress of the installation.
17. On the **Install Wizard Completed** screen, click **Finish**.
- **Note**
- If the installation fails for any reason, you might need to restart the computer before trying the install again.
-
-
+ **Note**
+ If the installation fails for any reason, you might need to restart the computer before trying the install again.
## Related topics
-
[How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md)
[Stand-Alone Delivery Scenario Overview](stand-alone-delivery-scenario-overview.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v4/how-to-manually-manage-applications-in-the-client-management-console.md b/mdop/appv-v4/how-to-manually-manage-applications-in-the-client-management-console.md
index e681bb817e..4302487ce2 100644
--- a/mdop/appv-v4/how-to-manually-manage-applications-in-the-client-management-console.md
+++ b/mdop/appv-v4/how-to-manually-manage-applications-in-the-client-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md b/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md
index f2489eb2f5..f4e1e2a14e 100644
--- a/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md
+++ b/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-modify-a-virtual-application-package--app-v-46-.md b/mdop/appv-v4/how-to-modify-a-virtual-application-package--app-v-46-.md
index be75e8d6aa..b3286dd1fd 100644
--- a/mdop/appv-v4/how-to-modify-a-virtual-application-package--app-v-46-.md
+++ b/mdop/appv-v4/how-to-modify-a-virtual-application-package--app-v-46-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md b/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md
index af10891ff9..9ef7b06355 100644
--- a/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-modify-attributes-of-embedded-services.md b/mdop/appv-v4/how-to-modify-attributes-of-embedded-services.md
index 0ac39a2bb7..98cb2e695d 100644
--- a/mdop/appv-v4/how-to-modify-attributes-of-embedded-services.md
+++ b/mdop/appv-v4/how-to-modify-attributes-of-embedded-services.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-modify-file-mapping-information.md b/mdop/appv-v4/how-to-modify-file-mapping-information.md
index 650d2c5a16..bd04938de3 100644
--- a/mdop/appv-v4/how-to-modify-file-mapping-information.md
+++ b/mdop/appv-v4/how-to-modify-file-mapping-information.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md b/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md
index c5b952309a..c6af207c9b 100644
--- a/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md
+++ b/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-modify-the-files-included-in-a-package.md b/mdop/appv-v4/how-to-modify-the-files-included-in-a-package.md
index 8b1a2d787a..dabbe47a97 100644
--- a/mdop/appv-v4/how-to-modify-the-files-included-in-a-package.md
+++ b/mdop/appv-v4/how-to-modify-the-files-included-in-a-package.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-modify-the-location-of-the-log-directory.md b/mdop/appv-v4/how-to-modify-the-location-of-the-log-directory.md
index 9992f353aa..c3428e4556 100644
--- a/mdop/appv-v4/how-to-modify-the-location-of-the-log-directory.md
+++ b/mdop/appv-v4/how-to-modify-the-location-of-the-log-directory.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-modify-the-location-of-the-scratch-directory.md b/mdop/appv-v4/how-to-modify-the-location-of-the-scratch-directory.md
index b4a00900c6..09e46293f9 100644
--- a/mdop/appv-v4/how-to-modify-the-location-of-the-scratch-directory.md
+++ b/mdop/appv-v4/how-to-modify-the-location-of-the-scratch-directory.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-modify-the-log-directory-location.md b/mdop/appv-v4/how-to-modify-the-log-directory-location.md
index 9b4accadbf..f02e8c4638 100644
--- a/mdop/appv-v4/how-to-modify-the-log-directory-location.md
+++ b/mdop/appv-v4/how-to-modify-the-log-directory-location.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md b/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md
index f3aa20ff3b..e331c63e11 100644
--- a/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md
+++ b/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md b/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md
index 582f590f01..325ec1b929 100644
--- a/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md
+++ b/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-modify-virtual-registry-key-information.md b/mdop/appv-v4/how-to-modify-virtual-registry-key-information.md
index a858d13e4d..4d0979f07c 100644
--- a/mdop/appv-v4/how-to-modify-virtual-registry-key-information.md
+++ b/mdop/appv-v4/how-to-modify-virtual-registry-key-information.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-move-an-application-group.md b/mdop/appv-v4/how-to-move-an-application-group.md
index 13f84cae13..dc8b8b117a 100644
--- a/mdop/appv-v4/how-to-move-an-application-group.md
+++ b/mdop/appv-v4/how-to-move-an-application-group.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-move-an-application.md b/mdop/appv-v4/how-to-move-an-application.md
index 891de6a2a0..1ddecfd3b0 100644
--- a/mdop/appv-v4/how-to-move-an-application.md
+++ b/mdop/appv-v4/how-to-move-an-application.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md b/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md
index 9a25b5de7e..69ea2fdaa3 100644
--- a/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md b/mdop/appv-v4/how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md
index b155413d62..7b74cd7b09 100644
--- a/mdop/appv-v4/how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md
+++ b/mdop/appv-v4/how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-app-v-client-management-console.md b/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-app-v-client-management-console.md
index 884e42b049..78618cb92e 100644
--- a/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-app-v-client-management-console.md
+++ b/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-app-v-client-management-console.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-client-management-console.md b/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-client-management-console.md
index 72d7607e31..129c4c2058 100644
--- a/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-client-management-console.md
+++ b/mdop/appv-v4/how-to-perform-general-administrative-tasks-in-the-client-management-console.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-print-a-reportserver.md b/mdop/appv-v4/how-to-print-a-reportserver.md
index c691eb95df..c3407cc14a 100644
--- a/mdop/appv-v4/how-to-print-a-reportserver.md
+++ b/mdop/appv-v4/how-to-print-a-reportserver.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md b/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md
index d91ae838c7..9a3d19e2a1 100644
--- a/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md
+++ b/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-publish-application-shortcuts.md b/mdop/appv-v4/how-to-publish-application-shortcuts.md
index 8098674b69..25b4335a06 100644
--- a/mdop/appv-v4/how-to-publish-application-shortcuts.md
+++ b/mdop/appv-v4/how-to-publish-application-shortcuts.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-refresh-the-publishing-servers.md b/mdop/appv-v4/how-to-refresh-the-publishing-servers.md
index 54494a77f0..c1f6550d87 100644
--- a/mdop/appv-v4/how-to-refresh-the-publishing-servers.md
+++ b/mdop/appv-v4/how-to-refresh-the-publishing-servers.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-refresh-virtual-applications-from-the-desktop-notification-area.md b/mdop/appv-v4/how-to-refresh-virtual-applications-from-the-desktop-notification-area.md
index 29ab05d2dd..9d197bf99f 100644
--- a/mdop/appv-v4/how-to-refresh-virtual-applications-from-the-desktop-notification-area.md
+++ b/mdop/appv-v4/how-to-refresh-virtual-applications-from-the-desktop-notification-area.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-remove-a-package-by-using-the-command-line.md b/mdop/appv-v4/how-to-remove-a-package-by-using-the-command-line.md
index 4673705119..09098690cf 100644
--- a/mdop/appv-v4/how-to-remove-a-package-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-remove-a-package-by-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-remove-a-server-group.md b/mdop/appv-v4/how-to-remove-a-server-group.md
index 20cab42326..f29d802d3f 100644
--- a/mdop/appv-v4/how-to-remove-a-server-group.md
+++ b/mdop/appv-v4/how-to-remove-a-server-group.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-remove-a-server.md b/mdop/appv-v4/how-to-remove-a-server.md
index bda6da9484..6bf7d4bcf3 100644
--- a/mdop/appv-v4/how-to-remove-a-server.md
+++ b/mdop/appv-v4/how-to-remove-a-server.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md b/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md
index 28cf02fc30..b6cf52235b 100644
--- a/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md
+++ b/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-remove-an-application-group.md b/mdop/appv-v4/how-to-remove-an-application-group.md
index 9971b36c80..f6be0294c8 100644
--- a/mdop/appv-v4/how-to-remove-an-application-group.md
+++ b/mdop/appv-v4/how-to-remove-an-application-group.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-remove-an-application-license-group.md b/mdop/appv-v4/how-to-remove-an-application-license-group.md
index 108f41917f..2ddff90f47 100644
--- a/mdop/appv-v4/how-to-remove-an-application-license-group.md
+++ b/mdop/appv-v4/how-to-remove-an-application-license-group.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-remove-the-application-virtualization-system-components.md b/mdop/appv-v4/how-to-remove-the-application-virtualization-system-components.md
index 2d2274110c..a24a7b50b4 100644
--- a/mdop/appv-v4/how-to-remove-the-application-virtualization-system-components.md
+++ b/mdop/appv-v4/how-to-remove-the-application-virtualization-system-components.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-rename-an-application-group.md b/mdop/appv-v4/how-to-rename-an-application-group.md
index 55b03cd556..572521fe16 100644
--- a/mdop/appv-v4/how-to-rename-an-application-group.md
+++ b/mdop/appv-v4/how-to-rename-an-application-group.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-rename-an-application.md b/mdop/appv-v4/how-to-rename-an-application.md
index d16fc9a6e9..4f52a1b300 100644
--- a/mdop/appv-v4/how-to-rename-an-application.md
+++ b/mdop/appv-v4/how-to-rename-an-application.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-repair-an-application.md b/mdop/appv-v4/how-to-repair-an-application.md
index 21b8d3a5ef..ac189548e4 100644
--- a/mdop/appv-v4/how-to-repair-an-application.md
+++ b/mdop/appv-v4/how-to-repair-an-application.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-reset-the-filesystem-cache.md b/mdop/appv-v4/how-to-reset-the-filesystem-cache.md
index 8f50c720f3..c5e745460d 100644
--- a/mdop/appv-v4/how-to-reset-the-filesystem-cache.md
+++ b/mdop/appv-v4/how-to-reset-the-filesystem-cache.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-run-a-reportserver.md b/mdop/appv-v4/how-to-run-a-reportserver.md
index feb8ffd3aa..80562c889f 100644
--- a/mdop/appv-v4/how-to-run-a-reportserver.md
+++ b/mdop/appv-v4/how-to-run-a-reportserver.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md
index 69b8fe0655..acfe510e08 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -79,13 +79,13 @@ Click **Next**.
10. On the **Customize** page, if you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. If you want to customize any of the items in the following list, select **Customize**.
- - Edit the file type associations associated with an application.
+ - Edit the file type associations associated with an application.
- - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+ - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
11. On the **Edit Shortcuts** page, you can optionally configure the file type associations (FTA) that will be associated with the various applications in the package. To create a new FTA, in the left pane, select and expand the application that you want to customize, and then click **Add**. In the **Add File Type Association** dialog box, provide the necessary information for the new FTA. Under the application, select **Shortcuts** to review the shortcut information associated with an application. In the **Location** pane, you can review the icon file information. To edit an existing FTA, click **Edit**. To remove an FTA, select the FTA, and then click **Remove**. Click **Next**.
diff --git a/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md b/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md
index 8cf0f80add..8ebca67179 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md b/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md
index 8df7b3d92a..590210b069 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md b/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md
index 65432aa68a..2f8c87b2f6 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-sequence-a-new-application.md b/mdop/appv-v4/how-to-sequence-a-new-application.md
index 21debde0ba..93f3d84506 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-application.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-application.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md
index 4f5f815988..3ca27b78c7 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md
index 0811b151cb..baf39c7e2c 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -69,13 +69,13 @@ Click **Next**.
11. On the **Customize** page, if you are finished installing and configuring the virtual application, select **Stop now** and skip to step 15 of this procedure. If you want to customize any of the items in the following list, select **Customize**.
- - Edit the file type associations and the icons associated with an application.
+ - Edit the file type associations and the icons associated with an application.
- - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+ - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
12. On the **Edit Shortcuts** page, you can optionally configure the file type associations (FTA) and shortcut locations that will be associated with the various applications in the package. To create a new FTA, in the left pane, select and expand the application you want to customize, and then click **Add**. In the **Add File Type Association** dialog box, provide the necessary information for the new FTA. To review the shortcut information associated with an application, under the application, select **Shortcuts**, and in the **Location** pane, you can edit the icon file information. To edit an existing FTA, click **Edit**. To remove an FTA, select the FTA, and then click **Remove**. Click **Next**.
diff --git a/mdop/appv-v4/how-to-sequence-an-application.md b/mdop/appv-v4/how-to-sequence-an-application.md
index 6e4b78a2d3..119261cce7 100644
--- a/mdop/appv-v4/how-to-sequence-an-application.md
+++ b/mdop/appv-v4/how-to-sequence-an-application.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-set-up-a-concurrent-license-group.md b/mdop/appv-v4/how-to-set-up-a-concurrent-license-group.md
index e70a585f56..ad438383ba 100644
--- a/mdop/appv-v4/how-to-set-up-a-concurrent-license-group.md
+++ b/mdop/appv-v4/how-to-set-up-a-concurrent-license-group.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-set-up-a-named-license-group.md b/mdop/appv-v4/how-to-set-up-a-named-license-group.md
index 3384f53bc7..5779656049 100644
--- a/mdop/appv-v4/how-to-set-up-a-named-license-group.md
+++ b/mdop/appv-v4/how-to-set-up-a-named-license-group.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-set-up-an-unlimited-license-group.md b/mdop/appv-v4/how-to-set-up-an-unlimited-license-group.md
index ad12a9daea..a793a50ed2 100644
--- a/mdop/appv-v4/how-to-set-up-an-unlimited-license-group.md
+++ b/mdop/appv-v4/how-to-set-up-an-unlimited-license-group.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md b/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md
index 330c8fd3c2..45059429b0 100644
--- a/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md
+++ b/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-set-up-or-disable-application-licensing.md b/mdop/appv-v4/how-to-set-up-or-disable-application-licensing.md
index 24f021a1d7..2171c365e1 100644
--- a/mdop/appv-v4/how-to-set-up-or-disable-application-licensing.md
+++ b/mdop/appv-v4/how-to-set-up-or-disable-application-licensing.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-set-up-or-disable-database-size.md b/mdop/appv-v4/how-to-set-up-or-disable-database-size.md
index 80082bec49..055ff8198c 100644
--- a/mdop/appv-v4/how-to-set-up-or-disable-database-size.md
+++ b/mdop/appv-v4/how-to-set-up-or-disable-database-size.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md b/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md
index cc5904c915..404bc76bd0 100644
--- a/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md
+++ b/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md b/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md
index 7c062516ea..f069cfa3b6 100644
--- a/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md
+++ b/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-set-up-publishing-refresh-on-login.md b/mdop/appv-v4/how-to-set-up-publishing-refresh-on-login.md
index 00463ee498..a416763534 100644
--- a/mdop/appv-v4/how-to-set-up-publishing-refresh-on-login.md
+++ b/mdop/appv-v4/how-to-set-up-publishing-refresh-on-login.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-set-up-publishing-servers.md b/mdop/appv-v4/how-to-set-up-publishing-servers.md
index cc298754ab..ad41ea0184 100644
--- a/mdop/appv-v4/how-to-set-up-publishing-servers.md
+++ b/mdop/appv-v4/how-to-set-up-publishing-servers.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-uninstall-the-app-v-client.md b/mdop/appv-v4/how-to-uninstall-the-app-v-client.md
index 32cefce588..aa38719ec5 100644
--- a/mdop/appv-v4/how-to-uninstall-the-app-v-client.md
+++ b/mdop/appv-v4/how-to-uninstall-the-app-v-client.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md b/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md
index 6084e10e78..2285f43d07 100644
--- a/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md
+++ b/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-upgrade-a-package.md b/mdop/appv-v4/how-to-upgrade-a-package.md
index 503f8d897c..a2e8150145 100644
--- a/mdop/appv-v4/how-to-upgrade-a-package.md
+++ b/mdop/appv-v4/how-to-upgrade-a-package.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md b/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md
index 3ed3a2cdfc..85293d4b7e 100644
--- a/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md b/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md
index 74d9705ad4..10086eb8f7 100644
--- a/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md
+++ b/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md b/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md
index 30f369aa2b..fcea04d661 100644
--- a/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md b/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md
index a1184994e7..82e5f8e584 100644
--- a/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md
+++ b/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-upgrade-an-existing-virtual-application.md b/mdop/appv-v4/how-to-upgrade-an-existing-virtual-application.md
index acf753d0fd..25e939097f 100644
--- a/mdop/appv-v4/how-to-upgrade-an-existing-virtual-application.md
+++ b/mdop/appv-v4/how-to-upgrade-an-existing-virtual-application.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md b/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md
index f2acf0f9d6..841dd29209 100644
--- a/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md
+++ b/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-upgrade-the-application-virtualization-sequencer.md b/mdop/appv-v4/how-to-upgrade-the-application-virtualization-sequencer.md
index d120506886..8505528785 100644
--- a/mdop/appv-v4/how-to-upgrade-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/how-to-upgrade-the-application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md b/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md
index 3724881e5b..07994fd06a 100644
--- a/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md
+++ b/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-use-dynamic-suite-composition.md b/mdop/appv-v4/how-to-use-dynamic-suite-composition.md
index a92d326172..e2c025e1fc 100644
--- a/mdop/appv-v4/how-to-use-dynamic-suite-composition.md
+++ b/mdop/appv-v4/how-to-use-dynamic-suite-composition.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md b/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md
index 5c1a2d616f..c449a2a051 100644
--- a/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md
+++ b/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-use-the-desktop-notification-area-for-application-virtualization-client-management.md b/mdop/appv-v4/how-to-use-the-desktop-notification-area-for-application-virtualization-client-management.md
index 47ad3bd18b..ec96967913 100644
--- a/mdop/appv-v4/how-to-use-the-desktop-notification-area-for-application-virtualization-client-management.md
+++ b/mdop/appv-v4/how-to-use-the-desktop-notification-area-for-application-virtualization-client-management.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-use-the-differential-sft-file.md b/mdop/appv-v4/how-to-use-the-differential-sft-file.md
index ee2cad8104..76fe2dc754 100644
--- a/mdop/appv-v4/how-to-use-the-differential-sft-file.md
+++ b/mdop/appv-v4/how-to-use-the-differential-sft-file.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md b/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md
index 2600e02b87..99672dfe57 100644
--- a/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md
+++ b/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/improving-security-during-app-v-sequencing.md b/mdop/appv-v4/improving-security-during-app-v-sequencing.md
index 25d280c294..36abc689dd 100644
--- a/mdop/appv-v4/improving-security-during-app-v-sequencing.md
+++ b/mdop/appv-v4/improving-security-during-app-v-sequencing.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/incompatible-installer-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/incompatible-installer-dialog-box--app-v-46-sp1-.md
index c02fae6064..b621af0ea0 100644
--- a/mdop/appv-v4/incompatible-installer-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/incompatible-installer-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/index.md b/mdop/appv-v4/index.md
index 8f75ce1701..02747f94e3 100644
--- a/mdop/appv-v4/index.md
+++ b/mdop/appv-v4/index.md
@@ -1,12 +1,12 @@
---
title: Application Virtualization 4
description: Application Virtualization 4
-author: jamiejdt
+author: dansimp
ms.assetid: 9da557bc-f433-47d3-8af7-68ec4ff9bd3f
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/installation-files-page.md b/mdop/appv-v4/installation-files-page.md
index 01386f3df3..e27b8a8203 100644
--- a/mdop/appv-v4/installation-files-page.md
+++ b/mdop/appv-v4/installation-files-page.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/installation-page--learn-more-.md b/mdop/appv-v4/installation-page--learn-more-.md
index 16497b85eb..decc1b459b 100644
--- a/mdop/appv-v4/installation-page--learn-more-.md
+++ b/mdop/appv-v4/installation-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/installation-report-page--learn-more-.md b/mdop/appv-v4/installation-report-page--learn-more-.md
index 343d0b17fd..4dc8d9afc6 100644
--- a/mdop/appv-v4/installation-report-page--learn-more-.md
+++ b/mdop/appv-v4/installation-report-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md b/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md
index a57d3fd5ef..9770276fd5 100644
--- a/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md
+++ b/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/internet-facing-considerations-for-app-v-clients.md b/mdop/appv-v4/internet-facing-considerations-for-app-v-clients.md
index d6386c9039..f1e423b957 100644
--- a/mdop/appv-v4/internet-facing-considerations-for-app-v-clients.md
+++ b/mdop/appv-v4/internet-facing-considerations-for-app-v-clients.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md b/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md
index 08a864e1ad..7ed378d7f0 100644
--- a/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md
+++ b/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md b/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md
index fb9336a35c..5e5e2a17d9 100644
--- a/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md
+++ b/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/load-app.md b/mdop/appv-v4/load-app.md
index e76ab3bbfd..ec44358bc7 100644
--- a/mdop/appv-v4/load-app.md
+++ b/mdop/appv-v4/load-app.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/load-package.md b/mdop/appv-v4/load-package.md
index a5b0ab5872..2de2fe1aa4 100644
--- a/mdop/appv-v4/load-package.md
+++ b/mdop/appv-v4/load-package.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/lock-app.md b/mdop/appv-v4/lock-app.md
index e33f3dccae..c6e0e0a6eb 100644
--- a/mdop/appv-v4/lock-app.md
+++ b/mdop/appv-v4/lock-app.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/log-file-for-the-application-virtualization-client.md b/mdop/appv-v4/log-file-for-the-application-virtualization-client.md
index 0d0fbf2b4d..ca3662f546 100644
--- a/mdop/appv-v4/log-file-for-the-application-virtualization-client.md
+++ b/mdop/appv-v4/log-file-for-the-application-virtualization-client.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/log-files-for-the-application-virtualization-sequencer.md b/mdop/appv-v4/log-files-for-the-application-virtualization-sequencer.md
index 62fe4015f9..ba4748b2d7 100644
--- a/mdop/appv-v4/log-files-for-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/log-files-for-the-application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-1-privacy-statement.md b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-1-privacy-statement.md
index 9842c91c7b..b631d97a83 100644
--- a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-1-privacy-statement.md
+++ b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-1-privacy-statement.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md
index f7ffd9de24..feb3688ed5 100644
--- a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md
+++ b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
@@ -76,7 +76,7 @@ This section is divided into two parts: (1) features in all versions of App-V an
Microsoft Error Reporting provides a service that allows you to report problems you may be having with App-V to Microsoft and to receive information that may help you avoid or solve such problems.
-**Information Collected, Processed, or Transmitted: **
+**Information Collected, Processed, or Transmitted:**
For information about the information collected, processed, or transmitted by Microsoft Error Reporting, see the Microsoft Error Reporting privacy statement at .
@@ -84,7 +84,7 @@ For information about the information collected, processed, or transmitted by Mi
We use the error reporting data to solve customer problems and improve our software and services.
-**Choice/Control: **
+**Choice/Control:**
App-V does not change your Microsoft Error Reporting settings. If you previously turned on error reporting, it will send Microsoft the information about the errors you encountered. When Microsoft needs additional data to analyze the problem, you will be prompted to review the data and choose whether or not to send it. App-V will always respect your Microsoft Error Reporting settings.
@@ -98,7 +98,7 @@ Enterprise customers can use Group Policy to configure how Microsoft Error Repor
Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software, including App-V. For details about what information is collected, how it is used and how to change your settings, see the Update Services Privacy Statement at .
-**Choice/Control: **
+**Choice/Control:**
If Microsoft Update is not enabled, you can opt-in during setup and subsequent checks for updates will follow the machine-wide schedule. You can update this option from the Microsoft Update Control Panel item.
@@ -108,7 +108,7 @@ If Microsoft Update is not enabled, you can opt-in during setup and subsequent c
The product will collect various configuration items, including UserID, MachineID and SecurityGroup details, to be able to enforce settings on managed nodes. The data is stored in the App-V SQL database and transmitted across the App-V server and client components to enforce the configuration on the managed node.
-**Information Collected, Processed, or Transmitted: **
+**Information Collected, Processed, or Transmitted:**
User and machine information and configuration content
@@ -116,7 +116,7 @@ User and machine information and configuration content
The information is used to enforce the application access configuration on the managed nodes within the enterprise. The information does not leave the enterprise.
-**Choice/Control: **
+**Choice/Control:**
By default, the product does not have any data. All data is entered and enabled by the admin and can be viewed in the Management console. The feature cannot be disabled as this is the product functionality. To disable this, App-V will need to be uninstalled.
@@ -130,7 +130,7 @@ None of this information is sent out of the enterprise.
It captures package history and asset information as part of the package.
-**Information Collected, Processed, or Transmitted: **
+**Information Collected, Processed, or Transmitted:**
Information about the package and the sequencing environment is collected and stored in the package manifest during sequencing.
@@ -138,7 +138,7 @@ Information about the package and the sequencing environment is collected and st
The information will be used by the admin to track the updates done to a package during its lifecycle. It will also be used by software deployment systems to track the package deployments within the organization.
-**Choice/Control: **
+**Choice/Control:**
This feature is always enabled and cannot be turned off.
@@ -152,7 +152,7 @@ This administrator information will be stored in the package and can be viewed b
The product will collect a variety of reporting data points, including the username, to allow reporting on the usage of the product.
-**Information Collected, Processed, or Transmitted: **
+**Information Collected, Processed, or Transmitted:**
Information about the machine, package and application usage are collected from every machine that reporting is enabled on.
@@ -160,7 +160,7 @@ Information about the machine, package and application usage are collected from
The information is used to report on application usage within the enterprise. The information does not leave the enterprise.
-**Choice/Control: **
+**Choice/Control:**
By default, the product does not have any data. Data is only collected once the reporting feature is enabled on the App-V Client. To disable the collection of reporting data, the reporting feature must be disabled on all clients.
@@ -178,7 +178,7 @@ This section addresses specific features available in App-V 4.6 SP1 and later.
The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information.
-**Information Collected, Processed, or Transmitted: **
+**Information Collected, Processed, or Transmitted:**
For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at .
@@ -186,7 +186,7 @@ For more information about the information collected, processed, or transmitted
We use this information to improve the quality, reliability, and performance of Microsoft software and services.
-**Choice/Control: **
+**Choice/Control:**
CEIP is optional and the opt-in status can be updated during install or post install from the GUI.
@@ -196,7 +196,7 @@ CEIP is optional and the opt-in status can be updated during install or post ins
Customers can use Application Package Accelerators to automatically package complex applications without installing the application. The App-V sequencer allows you to create package accelerators for each virtual package. You can then use these package accelerators to automatically re-create the same virtual package in the future. You may also use package accelerators released by Microsoft or other third parties to simplify and automate packaging of complex applications.
-**Information Collected, Processed, or Transmitted: **
+**Information Collected, Processed, or Transmitted:**
Application Package Accelerators may contain information such as computer names, user account information, and information about applications included in the Package Accelerator file.
diff --git a/mdop/appv-v4/microsoft-application-virtualization-client-management-help.md b/mdop/appv-v4/microsoft-application-virtualization-client-management-help.md
index 8b5c8b1759..4c68c94bf5 100644
--- a/mdop/appv-v4/microsoft-application-virtualization-client-management-help.md
+++ b/mdop/appv-v4/microsoft-application-virtualization-client-management-help.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/microsoft-application-virtualization-getting-started-guide.md b/mdop/appv-v4/microsoft-application-virtualization-getting-started-guide.md
index d581ace524..8d3ac35075 100644
--- a/mdop/appv-v4/microsoft-application-virtualization-getting-started-guide.md
+++ b/mdop/appv-v4/microsoft-application-virtualization-getting-started-guide.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md
index 1e8882dde6..e0573f689e 100644
--- a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md
+++ b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md
index 34494bd042..faa8e6fb37 100644
--- a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md
+++ b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/microsoft-application-virtualization-security-guide.md b/mdop/appv-v4/microsoft-application-virtualization-security-guide.md
index c57610a611..610d1317df 100644
--- a/mdop/appv-v4/microsoft-application-virtualization-security-guide.md
+++ b/mdop/appv-v4/microsoft-application-virtualization-security-guide.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/monitoring-application-virtualization-servers.md b/mdop/appv-v4/monitoring-application-virtualization-servers.md
index 9058c5bf3d..e2b08724bc 100644
--- a/mdop/appv-v4/monitoring-application-virtualization-servers.md
+++ b/mdop/appv-v4/monitoring-application-virtualization-servers.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/online-help-for-application-virtualization.md b/mdop/appv-v4/online-help-for-application-virtualization.md
index 5607572347..7b0fb5aa06 100644
--- a/mdop/appv-v4/online-help-for-application-virtualization.md
+++ b/mdop/appv-v4/online-help-for-application-virtualization.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/open-package-wizard---appv-46-sp1-.md b/mdop/appv-v4/open-package-wizard---appv-46-sp1-.md
index cf155ad5c7..1b5f04ae2a 100644
--- a/mdop/appv-v4/open-package-wizard---appv-46-sp1-.md
+++ b/mdop/appv-v4/open-package-wizard---appv-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/operations-guide-for-the-application-virtualization-system.md b/mdop/appv-v4/operations-guide-for-the-application-virtualization-system.md
index 7537dd9052..0ecbf6bd98 100644
--- a/mdop/appv-v4/operations-guide-for-the-application-virtualization-system.md
+++ b/mdop/appv-v4/operations-guide-for-the-application-virtualization-system.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/osd-file-elements.md b/mdop/appv-v4/osd-file-elements.md
index 77e35c6c8f..157d258180 100644
--- a/mdop/appv-v4/osd-file-elements.md
+++ b/mdop/appv-v4/osd-file-elements.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/osd-tab-keep.md b/mdop/appv-v4/osd-tab-keep.md
index 256b47eed2..6ee10b4d02 100644
--- a/mdop/appv-v4/osd-tab-keep.md
+++ b/mdop/appv-v4/osd-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/oversized-package-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/oversized-package-dialog-box--app-v-46-sp1-.md
index e088b5a477..1ad9f93518 100644
--- a/mdop/appv-v4/oversized-package-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/oversized-package-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/overview-of-application-virtualization.md b/mdop/appv-v4/overview-of-application-virtualization.md
index 60b9846d7a..2381ed0605 100644
--- a/mdop/appv-v4/overview-of-application-virtualization.md
+++ b/mdop/appv-v4/overview-of-application-virtualization.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/overview-of-the-application-virtualization-system-components.md b/mdop/appv-v4/overview-of-the-application-virtualization-system-components.md
index cdd61b6351..672e8b0158 100644
--- a/mdop/appv-v4/overview-of-the-application-virtualization-system-components.md
+++ b/mdop/appv-v4/overview-of-the-application-virtualization-system-components.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/package-name-page---learn-more-.md b/mdop/appv-v4/package-name-page---learn-more-.md
index 2ec6a13682..47e9be6e5f 100644
--- a/mdop/appv-v4/package-name-page---learn-more-.md
+++ b/mdop/appv-v4/package-name-page---learn-more-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/package-name-page--app-v-46-sp1.md b/mdop/appv-v4/package-name-page--app-v-46-sp1.md
index d6a33e85ab..b595db124d 100644
--- a/mdop/appv-v4/package-name-page--app-v-46-sp1.md
+++ b/mdop/appv-v4/package-name-page--app-v-46-sp1.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/package-results-pane-columns.md b/mdop/appv-v4/package-results-pane-columns.md
index 2197976bc7..cfca796126 100644
--- a/mdop/appv-v4/package-results-pane-columns.md
+++ b/mdop/appv-v4/package-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/package-results-pane.md b/mdop/appv-v4/package-results-pane.md
index d9670bd51d..65808ecea6 100644
--- a/mdop/appv-v4/package-results-pane.md
+++ b/mdop/appv-v4/package-results-pane.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/packages-node.md b/mdop/appv-v4/packages-node.md
index 548eea3031..6bdf422c6e 100644
--- a/mdop/appv-v4/packages-node.md
+++ b/mdop/appv-v4/packages-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/packaging-method--learn-more-.md b/mdop/appv-v4/packaging-method--learn-more-.md
index b1016bf355..f0fd04c1c6 100644
--- a/mdop/appv-v4/packaging-method--learn-more-.md
+++ b/mdop/appv-v4/packaging-method--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/packaging-method-page--learn-more-.md b/mdop/appv-v4/packaging-method-page--learn-more-.md
index dade78cf81..7d367a7c65 100644
--- a/mdop/appv-v4/packaging-method-page--learn-more-.md
+++ b/mdop/appv-v4/packaging-method-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/parse-items-tab-keep.md b/mdop/appv-v4/parse-items-tab-keep.md
index 04e254d387..5f70497e42 100644
--- a/mdop/appv-v4/parse-items-tab-keep.md
+++ b/mdop/appv-v4/parse-items-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md b/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md
index 3e3b86e643..890bce54a6 100644
--- a/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md
+++ b/mdop/appv-v4/planning-and-deployment-guide-for-the-application-virtualization-system.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/planning-for-application-virtualization-client-deployment.md b/mdop/appv-v4/planning-for-application-virtualization-client-deployment.md
index 71f4d2d740..c7c2e67bf3 100644
--- a/mdop/appv-v4/planning-for-application-virtualization-client-deployment.md
+++ b/mdop/appv-v4/planning-for-application-virtualization-client-deployment.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/planning-for-application-virtualization-system-deployment.md b/mdop/appv-v4/planning-for-application-virtualization-system-deployment.md
index c76572d411..b54977c4b8 100644
--- a/mdop/appv-v4/planning-for-application-virtualization-system-deployment.md
+++ b/mdop/appv-v4/planning-for-application-virtualization-system-deployment.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/planning-for-client-security.md b/mdop/appv-v4/planning-for-client-security.md
index 6050d3895b..2e70095470 100644
--- a/mdop/appv-v4/planning-for-client-security.md
+++ b/mdop/appv-v4/planning-for-client-security.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
@@ -34,7 +34,7 @@ By default, at installation the App-V client is configured with the minimum perm
By default, the installation of the client registers file type associations (FTAs) for OSD files, which enables users to start applications directly from OSD files instead of the published shortcuts. If a user with local administrator rights receives an OSD file containing malicious code, either in e-mail or downloaded from a Web site, the user can open the OSD file and start the application even if the client has been set to restrict the **Add Application** permission. You can unregister the FTAs for the OSD to reduce this risk. Also, consider blocking this extension in the e-mail system and at the firewall. For more information about configuring Outlook to block extensions, see .
-**Security Note: **
+**Security Note:**
Starting with App-V version 4.6, the file type association is no longer created for OSD files during a new installation of the client, although the existing settings will be maintained during an upgrade from version 4.2 or 4.5 of the App-V client. If for any reason it is essential to create the file type association, you can create the following registry keys and set their values as shown:
@@ -50,7 +50,7 @@ During installation, you can use the **RequireAuthorizationIfCached** parameter
Antivirus software running on an App-V Client computer can detect and report an infected file in the virtual environment. However, it cannot disinfect the file. If a virus is detected in the virtual environment, the antivirus software would perform the configured quarantine or repair operation in the cache, not in the actual package. Configure the antivirus software with an exception for the sftfs.fsd file. This file is the cache file that stores packages on the App-V Client.
-**Security Note: **
+**Security Note:**
If a virus is detected in an application or package deployed in the production environment, replace the application or package with a virus-free version.
diff --git a/mdop/appv-v4/planning-for-migration-from-previous-versions.md b/mdop/appv-v4/planning-for-migration-from-previous-versions.md
index c999a32a70..31b155f1d0 100644
--- a/mdop/appv-v4/planning-for-migration-from-previous-versions.md
+++ b/mdop/appv-v4/planning-for-migration-from-previous-versions.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/planning-for-security-and-protection.md b/mdop/appv-v4/planning-for-security-and-protection.md
index b750a27dca..a229a68305 100644
--- a/mdop/appv-v4/planning-for-security-and-protection.md
+++ b/mdop/appv-v4/planning-for-security-and-protection.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/planning-for-sequencer-security.md b/mdop/appv-v4/planning-for-sequencer-security.md
index d3ad4052ec..fc925dca50 100644
--- a/mdop/appv-v4/planning-for-sequencer-security.md
+++ b/mdop/appv-v4/planning-for-sequencer-security.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/planning-for-server-security.md b/mdop/appv-v4/planning-for-server-security.md
index 7f51cc0fc6..2cc2c0459b 100644
--- a/mdop/appv-v4/planning-for-server-security.md
+++ b/mdop/appv-v4/planning-for-server-security.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
@@ -31,7 +31,7 @@ The content directory contains all of the packages that are to be streamed to cl
Keep the number of users with administrative privileges to a minimum to reduce possible threats to the data in the data store and to avoid publishing malicious applications into the infrastructure.
-## Application Virtualization Security
+## Application Virtualization Security
App-V uses several methods of communication between the various components of the infrastructure. When you plan your App-V infrastructure, securing the communications between servers can reduce the security risks that might already be present on the existing network.
diff --git a/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md b/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md
index fe295dc2f6..90f6f01821 100644
--- a/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md
+++ b/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md b/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md
index 15a00e586c..f81b40c0e2 100644
--- a/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md
+++ b/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md b/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md
index a166551ed1..0ec37daf28 100644
--- a/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md
+++ b/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/prepare-computer-page--learn-more-.md b/mdop/appv-v4/prepare-computer-page--learn-more-.md
index d1b9f19800..4920b634e8 100644
--- a/mdop/appv-v4/prepare-computer-page--learn-more-.md
+++ b/mdop/appv-v4/prepare-computer-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/properties-tab-keep.md b/mdop/appv-v4/properties-tab-keep.md
index f6f72144b0..af45012be4 100644
--- a/mdop/appv-v4/properties-tab-keep.md
+++ b/mdop/appv-v4/properties-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/provider-policies-node.md b/mdop/appv-v4/provider-policies-node.md
index 38f417e3a1..23667457d8 100644
--- a/mdop/appv-v4/provider-policies-node.md
+++ b/mdop/appv-v4/provider-policies-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/provider-policies-results-pane-columns.md b/mdop/appv-v4/provider-policies-results-pane-columns.md
index 2b83fbccc2..edc54d5af9 100644
--- a/mdop/appv-v4/provider-policies-results-pane-columns.md
+++ b/mdop/appv-v4/provider-policies-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/provider-policies-results-pane.md b/mdop/appv-v4/provider-policies-results-pane.md
index 8bad9dc1e4..2f0f38d356 100644
--- a/mdop/appv-v4/provider-policies-results-pane.md
+++ b/mdop/appv-v4/provider-policies-results-pane.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/publish-app.md b/mdop/appv-v4/publish-app.md
index 365bd869f4..13b9f2635e 100644
--- a/mdop/appv-v4/publish-app.md
+++ b/mdop/appv-v4/publish-app.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/publish-package.md b/mdop/appv-v4/publish-package.md
index 0ddf0d20e8..04b4e5c319 100644
--- a/mdop/appv-v4/publish-package.md
+++ b/mdop/appv-v4/publish-package.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/publishing-servers-node.md b/mdop/appv-v4/publishing-servers-node.md
index bc9ef99098..76d964d714 100644
--- a/mdop/appv-v4/publishing-servers-node.md
+++ b/mdop/appv-v4/publishing-servers-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/publishing-servers-results-pane-columns.md b/mdop/appv-v4/publishing-servers-results-pane-columns.md
index ef1b0fcca5..4d18f6216d 100644
--- a/mdop/appv-v4/publishing-servers-results-pane-columns.md
+++ b/mdop/appv-v4/publishing-servers-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/publishing-servers-results-pane.md b/mdop/appv-v4/publishing-servers-results-pane.md
index 9ed534f85d..09a6240706 100644
--- a/mdop/appv-v4/publishing-servers-results-pane.md
+++ b/mdop/appv-v4/publishing-servers-results-pane.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md b/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md
index 8b19e64174..3e8cc15328 100644
--- a/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md
+++ b/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/publishing-virtual-applications-using-electronic-software-distribution.md b/mdop/appv-v4/publishing-virtual-applications-using-electronic-software-distribution.md
index 7587f1b537..9201d18ee2 100644
--- a/mdop/appv-v4/publishing-virtual-applications-using-electronic-software-distribution.md
+++ b/mdop/appv-v4/publishing-virtual-applications-using-electronic-software-distribution.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/query-obj.md b/mdop/appv-v4/query-obj.md
index 21de4d2dc6..ffe63b39cb 100644
--- a/mdop/appv-v4/query-obj.md
+++ b/mdop/appv-v4/query-obj.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/refresh-server.md b/mdop/appv-v4/refresh-server.md
index bb227a1cc9..ce416e2f57 100644
--- a/mdop/appv-v4/refresh-server.md
+++ b/mdop/appv-v4/refresh-server.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/repair-app.md b/mdop/appv-v4/repair-app.md
index 7d6f2d1ea2..8028a99b00 100644
--- a/mdop/appv-v4/repair-app.md
+++ b/mdop/appv-v4/repair-app.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/reports-node.md b/mdop/appv-v4/reports-node.md
index 8ba7e786a8..3a134a0bf2 100644
--- a/mdop/appv-v4/reports-node.md
+++ b/mdop/appv-v4/reports-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/reports-results-pane-columns.md b/mdop/appv-v4/reports-results-pane-columns.md
index 760dc1d0cf..30d4a7cd79 100644
--- a/mdop/appv-v4/reports-results-pane-columns.md
+++ b/mdop/appv-v4/reports-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/reports-results-pane.md b/mdop/appv-v4/reports-results-pane.md
index c885db722e..1bf053f4df 100644
--- a/mdop/appv-v4/reports-results-pane.md
+++ b/mdop/appv-v4/reports-results-pane.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/restart-task-failure-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/restart-task-failure-dialog-box--app-v-46-sp1-.md
index 38956d73ff..f8023fed89 100644
--- a/mdop/appv-v4/restart-task-failure-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/restart-task-failure-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/run-each-program-page-app-v-46-sp1.md b/mdop/appv-v4/run-each-program-page-app-v-46-sp1.md
index 14baba4904..fca8e43e79 100644
--- a/mdop/appv-v4/run-each-program-page-app-v-46-sp1.md
+++ b/mdop/appv-v4/run-each-program-page-app-v-46-sp1.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/security-and-protection-overview.md b/mdop/appv-v4/security-and-protection-overview.md
index fc4bd7ab49..2f668ca5d7 100644
--- a/mdop/appv-v4/security-and-protection-overview.md
+++ b/mdop/appv-v4/security-and-protection-overview.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -21,7 +21,7 @@ Microsoft Application Virtualization 4.5 provides the following enhanced securi
- Application Virtualization now supports Transport Layer Security (TLS) using X.509 V3 certificates. Provided that a server certificate has been provisioned to the planned Application Virtualization Management or Streaming Server, the installation will default to secure, using the RTSPS protocol over port 322. Using RTSPS ensures that communication between the Application Virtualization Servers and the Application Virtualization Clients is signed and encrypted. If no certificate is assigned to the server during the Application Virtualization Server installation, the communication will be set to RTSP over port 554.
- **Security Note: **
+ **Security Note:**
To help provide a secure setup of the server, you must make sure that RTSP ports are disabled even if you have all packages configured to use RTSPS.
diff --git a/mdop/appv-v4/select-files-page.md b/mdop/appv-v4/select-files-page.md
index 01baa300ba..3e3ce46931 100644
--- a/mdop/appv-v4/select-files-page.md
+++ b/mdop/appv-v4/select-files-page.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/select-guidance-page--package-accelerators-.md b/mdop/appv-v4/select-guidance-page--package-accelerators-.md
index 77b089953b..f2a9ba20b3 100644
--- a/mdop/appv-v4/select-guidance-page--package-accelerators-.md
+++ b/mdop/appv-v4/select-guidance-page--package-accelerators-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/select-installation-files-page-app-v-46-sp1.md b/mdop/appv-v4/select-installation-files-page-app-v-46-sp1.md
index 69735eb53e..0fb499ff9d 100644
--- a/mdop/appv-v4/select-installation-files-page-app-v-46-sp1.md
+++ b/mdop/appv-v4/select-installation-files-page-app-v-46-sp1.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/select-installer-page--learn-more-.md b/mdop/appv-v4/select-installer-page--learn-more-.md
index 56c3d2df7d..c0c95a1828 100644
--- a/mdop/appv-v4/select-installer-page--learn-more-.md
+++ b/mdop/appv-v4/select-installer-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/select-package--learn-more--page.md b/mdop/appv-v4/select-package--learn-more--page.md
index c23544c5fb..078dbfbad4 100644
--- a/mdop/appv-v4/select-package--learn-more--page.md
+++ b/mdop/appv-v4/select-package--learn-more--page.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/select-package-accelerator--learn-more--page.md b/mdop/appv-v4/select-package-accelerator--learn-more--page.md
index 3e387a8a14..28c3dd746a 100644
--- a/mdop/appv-v4/select-package-accelerator--learn-more--page.md
+++ b/mdop/appv-v4/select-package-accelerator--learn-more--page.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/select-package-accelerator-page.md b/mdop/appv-v4/select-package-accelerator-page.md
index 8969a6ffaf..d06ddc61ba 100644
--- a/mdop/appv-v4/select-package-accelerator-page.md
+++ b/mdop/appv-v4/select-package-accelerator-page.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/select-primary-page--learn-more-.md b/mdop/appv-v4/select-primary-page--learn-more-.md
index 1a1ed7a346..a35e3c17bc 100644
--- a/mdop/appv-v4/select-primary-page--learn-more-.md
+++ b/mdop/appv-v4/select-primary-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/select-task-page--learn-more-.md b/mdop/appv-v4/select-task-page--learn-more-.md
index 1f5037a3e4..fd9a980960 100644
--- a/mdop/appv-v4/select-task-page--learn-more-.md
+++ b/mdop/appv-v4/select-task-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/sequencer-command-line-error-codes.md b/mdop/appv-v4/sequencer-command-line-error-codes.md
index a328fb293d..dd6de8148b 100644
--- a/mdop/appv-v4/sequencer-command-line-error-codes.md
+++ b/mdop/appv-v4/sequencer-command-line-error-codes.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/sequencer-command-line-parameters.md b/mdop/appv-v4/sequencer-command-line-parameters.md
index f0a873d666..45f23f75de 100644
--- a/mdop/appv-v4/sequencer-command-line-parameters.md
+++ b/mdop/appv-v4/sequencer-command-line-parameters.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/sequencer-console.md b/mdop/appv-v4/sequencer-console.md
index 075bbf4f05..7400f6a83a 100644
--- a/mdop/appv-v4/sequencer-console.md
+++ b/mdop/appv-v4/sequencer-console.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/sequencer-dialog-boxes.md b/mdop/appv-v4/sequencer-dialog-boxes.md
index 796ed43e5a..41e0e7f3a7 100644
--- a/mdop/appv-v4/sequencer-dialog-boxes.md
+++ b/mdop/appv-v4/sequencer-dialog-boxes.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/sequencer-hardware-and-software-requirements.md b/mdop/appv-v4/sequencer-hardware-and-software-requirements.md
index 47e3854169..1a194914ee 100644
--- a/mdop/appv-v4/sequencer-hardware-and-software-requirements.md
+++ b/mdop/appv-v4/sequencer-hardware-and-software-requirements.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/sequencer-wizard---package-accelerator--appv-46-sp1-.md b/mdop/appv-v4/sequencer-wizard---package-accelerator--appv-46-sp1-.md
index 49a306d35f..684ee01f73 100644
--- a/mdop/appv-v4/sequencer-wizard---package-accelerator--appv-46-sp1-.md
+++ b/mdop/appv-v4/sequencer-wizard---package-accelerator--appv-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/sequencing-wizard.md b/mdop/appv-v4/sequencing-wizard.md
index b439b83d0a..d4f7d09fec 100644
--- a/mdop/appv-v4/sequencing-wizard.md
+++ b/mdop/appv-v4/sequencing-wizard.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-groups-node.md b/mdop/appv-v4/server-groups-node.md
index 449204c5da..ce1414674d 100644
--- a/mdop/appv-v4/server-groups-node.md
+++ b/mdop/appv-v4/server-groups-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-groups-results-pane-columns.md b/mdop/appv-v4/server-groups-results-pane-columns.md
index 33042df361..f3e42b607f 100644
--- a/mdop/appv-v4/server-groups-results-pane-columns.md
+++ b/mdop/appv-v4/server-groups-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-groups-results-pane.md b/mdop/appv-v4/server-groups-results-pane.md
index 1d2a446726..129e193e76 100644
--- a/mdop/appv-v4/server-groups-results-pane.md
+++ b/mdop/appv-v4/server-groups-results-pane.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-management-console-about-dialog-boxes.md b/mdop/appv-v4/server-management-console-about-dialog-boxes.md
index 5ab178a36b..3efe389863 100644
--- a/mdop/appv-v4/server-management-console-about-dialog-boxes.md
+++ b/mdop/appv-v4/server-management-console-about-dialog-boxes.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-management-console-administrators-node.md b/mdop/appv-v4/server-management-console-administrators-node.md
index 9394274f33..015c4f342b 100644
--- a/mdop/appv-v4/server-management-console-administrators-node.md
+++ b/mdop/appv-v4/server-management-console-administrators-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-management-console-application-licenses-node.md b/mdop/appv-v4/server-management-console-application-licenses-node.md
index 2a8a97906f..3f238741ce 100644
--- a/mdop/appv-v4/server-management-console-application-licenses-node.md
+++ b/mdop/appv-v4/server-management-console-application-licenses-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-management-console-application-virtualization-system-node.md b/mdop/appv-v4/server-management-console-application-virtualization-system-node.md
index 527349e8e6..8b80ae666f 100644
--- a/mdop/appv-v4/server-management-console-application-virtualization-system-node.md
+++ b/mdop/appv-v4/server-management-console-application-virtualization-system-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-management-console-applications-node.md b/mdop/appv-v4/server-management-console-applications-node.md
index 4b4463745a..a60b48ffce 100644
--- a/mdop/appv-v4/server-management-console-applications-node.md
+++ b/mdop/appv-v4/server-management-console-applications-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-management-console-file-type-associations-node.md b/mdop/appv-v4/server-management-console-file-type-associations-node.md
index e40517eb0a..fceda812e7 100644
--- a/mdop/appv-v4/server-management-console-file-type-associations-node.md
+++ b/mdop/appv-v4/server-management-console-file-type-associations-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-management-console-packages-node.md b/mdop/appv-v4/server-management-console-packages-node.md
index 2bd20d93df..1dfe0fa72c 100644
--- a/mdop/appv-v4/server-management-console-packages-node.md
+++ b/mdop/appv-v4/server-management-console-packages-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-management-console-provider-policies-node.md b/mdop/appv-v4/server-management-console-provider-policies-node.md
index 6d899befab..ce731f565e 100644
--- a/mdop/appv-v4/server-management-console-provider-policies-node.md
+++ b/mdop/appv-v4/server-management-console-provider-policies-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-management-console-reports-node.md b/mdop/appv-v4/server-management-console-reports-node.md
index 1b6808031b..414250a6ed 100644
--- a/mdop/appv-v4/server-management-console-reports-node.md
+++ b/mdop/appv-v4/server-management-console-reports-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/server-management-console-server-groups-node.md b/mdop/appv-v4/server-management-console-server-groups-node.md
index 7b3cc68876..fa0a289798 100644
--- a/mdop/appv-v4/server-management-console-server-groups-node.md
+++ b/mdop/appv-v4/server-management-console-server-groups-node.md
@@ -9,7 +9,7 @@ ms.author: eravena
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/sftmime--command-reference.md b/mdop/appv-v4/sftmime--command-reference.md
index 1f2d7d6407..55ee1492e0 100644
--- a/mdop/appv-v4/sftmime--command-reference.md
+++ b/mdop/appv-v4/sftmime--command-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/sfttray-command-reference.md b/mdop/appv-v4/sfttray-command-reference.md
index 38b1c28072..bf89666ba8 100644
--- a/mdop/appv-v4/sfttray-command-reference.md
+++ b/mdop/appv-v4/sfttray-command-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/side-by-side-privatization-failed-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/side-by-side-privatization-failed-dialog-box--app-v-46-sp1-.md
index 2148e9742b..ce583088cc 100644
--- a/mdop/appv-v4/side-by-side-privatization-failed-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/side-by-side-privatization-failed-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/software-audit-reportserver.md b/mdop/appv-v4/software-audit-reportserver.md
index 4d147072ea..d360b339b8 100644
--- a/mdop/appv-v4/software-audit-reportserver.md
+++ b/mdop/appv-v4/software-audit-reportserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md b/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md
index ca951538f7..057f6f881c 100644
--- a/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md
+++ b/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/stand-alone-delivery-scenario-overview.md b/mdop/appv-v4/stand-alone-delivery-scenario-overview.md
index 7ac815d680..07365c016e 100644
--- a/mdop/appv-v4/stand-alone-delivery-scenario-overview.md
+++ b/mdop/appv-v4/stand-alone-delivery-scenario-overview.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/streaming-page-learn-more.md b/mdop/appv-v4/streaming-page-learn-more.md
index 690d651a6b..da5ad4a4f7 100644
--- a/mdop/appv-v4/streaming-page-learn-more.md
+++ b/mdop/appv-v4/streaming-page-learn-more.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/support-for-client-reporting-over-http.md b/mdop/appv-v4/support-for-client-reporting-over-http.md
index 1afa6d3679..affd21c498 100644
--- a/mdop/appv-v4/support-for-client-reporting-over-http.md
+++ b/mdop/appv-v4/support-for-client-reporting-over-http.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/sxs-conflict-detected-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/sxs-conflict-detected-dialog-box--app-v-46-sp1-.md
index 03fc10a7d3..836a996cb8 100644
--- a/mdop/appv-v4/sxs-conflict-detected-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/sxs-conflict-detected-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/system-error-reportserver.md b/mdop/appv-v4/system-error-reportserver.md
index a981fa9bd2..a05fd63491 100644
--- a/mdop/appv-v4/system-error-reportserver.md
+++ b/mdop/appv-v4/system-error-reportserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/system-utilization-reportserver.md b/mdop/appv-v4/system-utilization-reportserver.md
index 7251ff513b..d8d31cf853 100644
--- a/mdop/appv-v4/system-utilization-reportserver.md
+++ b/mdop/appv-v4/system-utilization-reportserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/target-os-page-learn-more.md b/mdop/appv-v4/target-os-page-learn-more.md
index ef9fb2aa79..8b841dc45f 100644
--- a/mdop/appv-v4/target-os-page-learn-more.md
+++ b/mdop/appv-v4/target-os-page-learn-more.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer--app-v-46-sp1-.md b/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer--app-v-46-sp1-.md
index d7a550ba6b..c7fd7547bb 100644
--- a/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer--app-v-46-sp1-.md
+++ b/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer.md b/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer.md
index 736d4abb06..5241b96cce 100644
--- a/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/tasks-for-the-application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/troubleshooting-application-virtualization-sequencer-issues.md b/mdop/appv-v4/troubleshooting-application-virtualization-sequencer-issues.md
index d518b6dd1c..0c9d93141c 100644
--- a/mdop/appv-v4/troubleshooting-application-virtualization-sequencer-issues.md
+++ b/mdop/appv-v4/troubleshooting-application-virtualization-sequencer-issues.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/troubleshooting-certificate-permission-issues.md b/mdop/appv-v4/troubleshooting-certificate-permission-issues.md
index 62d5a6e274..6987ec6314 100644
--- a/mdop/appv-v4/troubleshooting-certificate-permission-issues.md
+++ b/mdop/appv-v4/troubleshooting-certificate-permission-issues.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-client.md b/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-client.md
index 37f2f88e78..1a8a9821d5 100644
--- a/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-client.md
+++ b/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-client.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-server.md b/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-server.md
index 80485a8023..021372f847 100644
--- a/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-server.md
+++ b/mdop/appv-v4/troubleshooting-information-for-the-application-virtualization-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/troubleshooting-the-application-virtualization-sequencer.md b/mdop/appv-v4/troubleshooting-the-application-virtualization-sequencer.md
index de5af9194f..0ee0ebe678 100644
--- a/mdop/appv-v4/troubleshooting-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/troubleshooting-the-application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/type-of-application-page--learn-more-.md b/mdop/appv-v4/type-of-application-page--learn-more-.md
index 72e6772aa9..793ec8b0c1 100644
--- a/mdop/appv-v4/type-of-application-page--learn-more-.md
+++ b/mdop/appv-v4/type-of-application-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/unload-app.md b/mdop/appv-v4/unload-app.md
index a2748ee100..692d0b2a1b 100644
--- a/mdop/appv-v4/unload-app.md
+++ b/mdop/appv-v4/unload-app.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/unload-package.md b/mdop/appv-v4/unload-package.md
index 03039cbbfe..d0ad6ce857 100644
--- a/mdop/appv-v4/unload-package.md
+++ b/mdop/appv-v4/unload-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/unlock-app.md b/mdop/appv-v4/unlock-app.md
index 8d20a7f7a3..f003f66e5a 100644
--- a/mdop/appv-v4/unlock-app.md
+++ b/mdop/appv-v4/unlock-app.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/unpublish-package.md b/mdop/appv-v4/unpublish-package.md
index 4111a75383..28df41e62d 100644
--- a/mdop/appv-v4/unpublish-package.md
+++ b/mdop/appv-v4/unpublish-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md b/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md
index 37f72f87ed..1517ada613 100644
--- a/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md
+++ b/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md b/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md
index 11a9533a37..0537d830a9 100644
--- a/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md
+++ b/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md b/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md
index 6f8e379deb..4788d4f85f 100644
--- a/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md
+++ b/mdop/appv-v4/using-electronic-software-distribution-as-a-package-management-solution.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/verify-applications-page--package-accelerators-.md b/mdop/appv-v4/verify-applications-page--package-accelerators-.md
index 6cb0bdd47e..dc6a8604e7 100644
--- a/mdop/appv-v4/verify-applications-page--package-accelerators-.md
+++ b/mdop/appv-v4/verify-applications-page--package-accelerators-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/virtual-application-package-additional-components.md b/mdop/appv-v4/virtual-application-package-additional-components.md
index e44d919586..42d28df0f0 100644
--- a/mdop/appv-v4/virtual-application-package-additional-components.md
+++ b/mdop/appv-v4/virtual-application-package-additional-components.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/virtual-file-system-tab-keep.md b/mdop/appv-v4/virtual-file-system-tab-keep.md
index 9d50f3a15c..188445d4e4 100644
--- a/mdop/appv-v4/virtual-file-system-tab-keep.md
+++ b/mdop/appv-v4/virtual-file-system-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/virtual-registry-tab-keep.md b/mdop/appv-v4/virtual-registry-tab-keep.md
index ab7b437cfd..832f3dc40b 100644
--- a/mdop/appv-v4/virtual-registry-tab-keep.md
+++ b/mdop/appv-v4/virtual-registry-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/virtual-services-tab-keep.md b/mdop/appv-v4/virtual-services-tab-keep.md
index 2314727dbd..e78e0eee33 100644
--- a/mdop/appv-v4/virtual-services-tab-keep.md
+++ b/mdop/appv-v4/virtual-services-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/wizard-pages--appv-46-sp1-.md b/mdop/appv-v4/wizard-pages--appv-46-sp1-.md
index 8ea9090de2..8d47e49527 100644
--- a/mdop/appv-v4/wizard-pages--appv-46-sp1-.md
+++ b/mdop/appv-v4/wizard-pages--appv-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
index 203086f71b..4dbf7f3b64 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@@ -222,7 +222,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
- ``` syntax
+ ```xml
@@ -633,7 +633,7 @@ You may want to disable specific applications in your Office App-V package. For
5. Add the Office 2016 App-V Package with the new Deployment Configuration File.
- ``` syntax
+ ```xml
Lync 2016
diff --git a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md
index 7bc0c4e2c1..e1e6432a8a 100644
--- a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md
+++ b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md
@@ -43,9 +43,7 @@ You must configure the package converter to always save the package ingredients
Import-Module AppVPkgConverter
```
-3.
-
- The following cmdlets are available:
+3. The following cmdlets are available:
- Test-AppvLegacyPackage – This cmdlet is designed to check packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in depth validation. For information about options and basic functionality for this cmdlet, using the PowerShell cmdline, type `Test-AppvLegacyPackage -?`.
diff --git a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md
index f69cd05803..8652ce06d6 100644
--- a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md
+++ b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md
@@ -143,11 +143,11 @@ Click **Next**.
11. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. To perform either of the following customizations, select **Customize**.
- - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+ - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
@@ -234,11 +234,11 @@ Click **Next**.
10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**.
- - Optimize how the package will run across a slow or unreliable network.
+ - Optimize how the package will run across a slow or unreliable network.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**.
diff --git a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
index 5143059379..ba6d5a807d 100644
--- a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
+++ b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
@@ -128,11 +128,11 @@ Click **Next**.
11. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. To perform either of the following customizations, select **Customize**.
- - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+ - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
@@ -210,11 +210,11 @@ On the computer that runs the sequencer, click **All Programs**, and then Click
10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**.
- - Optimize how the package will run across a slow or unreliable network.
+ - Optimize how the package will run across a slow or unreliable network.
- - Specify the operating systems that can run this package.
+ - Specify the operating systems that can run this package.
- Click **Next**.
+ Click **Next**.
11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**.
diff --git a/mdop/appv-v5/index.md b/mdop/appv-v5/index.md
index ca33b4be38..c51ad7bc30 100644
--- a/mdop/appv-v5/index.md
+++ b/mdop/appv-v5/index.md
@@ -1,7 +1,7 @@
---
title: Application Virtualization 5
description: Application Virtualization 5
-author: jamiejdt
+author: dansimp
ms.assetid: e82eb44b-9ccd-41aa-923b-71400230ad23
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/mdop/dart-v10/index.md b/mdop/dart-v10/index.md
index ca199090fb..5d88fce5c0 100644
--- a/mdop/dart-v10/index.md
+++ b/mdop/dart-v10/index.md
@@ -1,7 +1,7 @@
---
title: Diagnostics and Recovery Toolset 10
description: Diagnostics and Recovery Toolset 10
-author: jamiejdt
+author: dansimp
ms.assetid: 64403eca-ff05-4327-ac33-bdcc96e706c8
ms.pagetype: mdop
ms.mktglfcycl: support
diff --git a/mdop/dart-v7/about-dart-70-new-ia.md b/mdop/dart-v7/about-dart-70-new-ia.md
index 944c2bd884..7669450607 100644
--- a/mdop/dart-v7/about-dart-70-new-ia.md
+++ b/mdop/dart-v7/about-dart-70-new-ia.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/accessibility-for-dart-70.md b/mdop/dart-v7/accessibility-for-dart-70.md
index 5335e76631..afb83c0c70 100644
--- a/mdop/dart-v7/accessibility-for-dart-70.md
+++ b/mdop/dart-v7/accessibility-for-dart-70.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md b/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md
index 0bb0012fb5..2fa4e1973e 100644
--- a/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md
+++ b/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md b/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md
index 2a1c1e2596..fe7a329faa 100644
--- a/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md
+++ b/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/dart-70-planning-checklist-dart-7.md b/mdop/dart-v7/dart-70-planning-checklist-dart-7.md
index 7612462738..5d125aafaf 100644
--- a/mdop/dart-v7/dart-70-planning-checklist-dart-7.md
+++ b/mdop/dart-v7/dart-70-planning-checklist-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/dart-70-supported-configurations-dart-7.md b/mdop/dart-v7/dart-70-supported-configurations-dart-7.md
index 0bff4cebfc..5c0de66ee4 100644
--- a/mdop/dart-v7/dart-70-supported-configurations-dart-7.md
+++ b/mdop/dart-v7/dart-70-supported-configurations-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/deploying-dart-70-new-ia.md b/mdop/dart-v7/deploying-dart-70-new-ia.md
index 455cfa5388..9612cbbec2 100644
--- a/mdop/dart-v7/deploying-dart-70-new-ia.md
+++ b/mdop/dart-v7/deploying-dart-70-new-ia.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/deploying-dart-70-to-administrator-computers-dart-7.md b/mdop/dart-v7/deploying-dart-70-to-administrator-computers-dart-7.md
index fa4f19d3d6..c8e61e3bbb 100644
--- a/mdop/dart-v7/deploying-dart-70-to-administrator-computers-dart-7.md
+++ b/mdop/dart-v7/deploying-dart-70-to-administrator-computers-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md b/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md
index fe84a514e2..b5bdee5e77 100644
--- a/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md
+++ b/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v7/diagnosing-system-failures-with-crash-analyzer--dart-7.md b/mdop/dart-v7/diagnosing-system-failures-with-crash-analyzer--dart-7.md
index 77afc0423f..5376233690 100644
--- a/mdop/dart-v7/diagnosing-system-failures-with-crash-analyzer--dart-7.md
+++ b/mdop/dart-v7/diagnosing-system-failures-with-crash-analyzer--dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/getting-started-with-dart-70-new-ia.md b/mdop/dart-v7/getting-started-with-dart-70-new-ia.md
index ac081ea5fb..fe540dcf08 100644
--- a/mdop/dart-v7/getting-started-with-dart-70-new-ia.md
+++ b/mdop/dart-v7/getting-started-with-dart-70-new-ia.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v7/how-to-change-repair-or-remove-dart-70.md b/mdop/dart-v7/how-to-change-repair-or-remove-dart-70.md
index a6b4c35913..3a447a185e 100644
--- a/mdop/dart-v7/how-to-change-repair-or-remove-dart-70.md
+++ b/mdop/dart-v7/how-to-change-repair-or-remove-dart-70.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/how-to-create-a-time-limited-recovery-image-dart-7.md b/mdop/dart-v7/how-to-create-a-time-limited-recovery-image-dart-7.md
index cadfb77d47..b86616043e 100644
--- a/mdop/dart-v7/how-to-create-a-time-limited-recovery-image-dart-7.md
+++ b/mdop/dart-v7/how-to-create-a-time-limited-recovery-image-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/how-to-deploy-dart-70.md b/mdop/dart-v7/how-to-deploy-dart-70.md
index 32254f2c60..5ea5704612 100644
--- a/mdop/dart-v7/how-to-deploy-dart-70.md
+++ b/mdop/dart-v7/how-to-deploy-dart-70.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md
index ec9f029614..032c998a69 100644
--- a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md
+++ b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md
index bb9b4e45b5..53d9e0c199 100644
--- a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md
+++ b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md
index 8c9ec4eebf..dec6b0ee1f 100644
--- a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md
+++ b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v7/how-to-ensure-that-crash-analyzer-can-access-symbol-files-dart-7.md b/mdop/dart-v7/how-to-ensure-that-crash-analyzer-can-access-symbol-files-dart-7.md
index 04e664b006..97919ebdaf 100644
--- a/mdop/dart-v7/how-to-ensure-that-crash-analyzer-can-access-symbol-files-dart-7.md
+++ b/mdop/dart-v7/how-to-ensure-that-crash-analyzer-can-access-symbol-files-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md b/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md
index f24b5b6941..3c5e049cc4 100644
--- a/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md
+++ b/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md b/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md
index d8cdbc0ab0..92044dc55f 100644
--- a/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md
+++ b/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md b/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md
index 2000d0e0f8..ca96b96fa2 100644
--- a/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md
+++ b/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md b/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md
index 4a03441b10..1cd1277d48 100644
--- a/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md
+++ b/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md b/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md
index 64a13002bc..68bcaa762b 100644
--- a/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md
+++ b/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v7/index.md b/mdop/dart-v7/index.md
index 9dfe1fceaf..ba12a07c9d 100644
--- a/mdop/dart-v7/index.md
+++ b/mdop/dart-v7/index.md
@@ -1,12 +1,12 @@
---
title: Diagnostics and Recovery Toolset 7 Administrator's Guide
description: Diagnostics and Recovery Toolset 7 Administrator's Guide
-author: jamiejdt
+author: dansimp
ms.assetid: bf89eccd-fc03-48ff-9019-a8640e11dd99
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 04/19/2017
---
diff --git a/mdop/dart-v7/operations-for-dart-70-new-ia.md b/mdop/dart-v7/operations-for-dart-70-new-ia.md
index 4ab261ebe1..aaeec42f32 100644
--- a/mdop/dart-v7/operations-for-dart-70-new-ia.md
+++ b/mdop/dart-v7/operations-for-dart-70-new-ia.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md b/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md
index ccd74f662c..945180ced9 100644
--- a/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md
+++ b/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/planning-for-dart-70-new-ia.md b/mdop/dart-v7/planning-for-dart-70-new-ia.md
index d4227b88d2..69e7f032bb 100644
--- a/mdop/dart-v7/planning-for-dart-70-new-ia.md
+++ b/mdop/dart-v7/planning-for-dart-70-new-ia.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md b/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md
index f99585b92a..dfe697ea8f 100644
--- a/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md
+++ b/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/planning-to-create-the-dart-70-recovery-image.md b/mdop/dart-v7/planning-to-create-the-dart-70-recovery-image.md
index 7c19fc8845..3aa6ed872f 100644
--- a/mdop/dart-v7/planning-to-create-the-dart-70-recovery-image.md
+++ b/mdop/dart-v7/planning-to-create-the-dart-70-recovery-image.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v7/planning-to-deploy-dart-70.md b/mdop/dart-v7/planning-to-deploy-dart-70.md
index f1f21b158b..5fa805cf89 100644
--- a/mdop/dart-v7/planning-to-deploy-dart-70.md
+++ b/mdop/dart-v7/planning-to-deploy-dart-70.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md b/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md
index 35e35b8a3e..e3e5f4824e 100644
--- a/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md
+++ b/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/release-notes-for-dart-70-new-ia.md b/mdop/dart-v7/release-notes-for-dart-70-new-ia.md
index 87506ac590..035b7570cf 100644
--- a/mdop/dart-v7/release-notes-for-dart-70-new-ia.md
+++ b/mdop/dart-v7/release-notes-for-dart-70-new-ia.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md b/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md
index 7d51161f65..fb406cc6b9 100644
--- a/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md
+++ b/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/technical-reference-for-dart-70-new-ia.md b/mdop/dart-v7/technical-reference-for-dart-70-new-ia.md
index 70e1a1fba6..747af0760b 100644
--- a/mdop/dart-v7/technical-reference-for-dart-70-new-ia.md
+++ b/mdop/dart-v7/technical-reference-for-dart-70-new-ia.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v7/troubleshooting-dart-70-new-ia.md b/mdop/dart-v7/troubleshooting-dart-70-new-ia.md
index 5e1d37af9e..7f1942cf6c 100644
--- a/mdop/dart-v7/troubleshooting-dart-70-new-ia.md
+++ b/mdop/dart-v7/troubleshooting-dart-70-new-ia.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/about-dart-80-dart-8.md b/mdop/dart-v8/about-dart-80-dart-8.md
index 7de3d83f67..75405ef53f 100644
--- a/mdop/dart-v8/about-dart-80-dart-8.md
+++ b/mdop/dart-v8/about-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/about-dart-80-sp1.md b/mdop/dart-v8/about-dart-80-sp1.md
index 9a2cf5c3a0..c6bec15027 100644
--- a/mdop/dart-v8/about-dart-80-sp1.md
+++ b/mdop/dart-v8/about-dart-80-sp1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/about-dart-81.md b/mdop/dart-v8/about-dart-81.md
index a2d81ba1e5..9af17ffe96 100644
--- a/mdop/dart-v8/about-dart-81.md
+++ b/mdop/dart-v8/about-dart-81.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/accessibility-for-dart-80-dart-8.md b/mdop/dart-v8/accessibility-for-dart-80-dart-8.md
index 936d93ea7d..dedbc23dc8 100644
--- a/mdop/dart-v8/accessibility-for-dart-80-dart-8.md
+++ b/mdop/dart-v8/accessibility-for-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/administering-dart-80-using-powershell-dart-8.md b/mdop/dart-v8/administering-dart-80-using-powershell-dart-8.md
index d400b3bd5d..1aaf5e577a 100644
--- a/mdop/dart-v8/administering-dart-80-using-powershell-dart-8.md
+++ b/mdop/dart-v8/administering-dart-80-using-powershell-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md b/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
index 0dfd0b39f2..cec64c5c0e 100644
--- a/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
+++ b/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/21/2017
---
diff --git a/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md b/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md
index eca291304a..94c522e8cb 100644
--- a/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md
+++ b/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/dart-80-planning-checklist-dart-8.md b/mdop/dart-v8/dart-80-planning-checklist-dart-8.md
index 7e29d01395..d94a6d2c8c 100644
--- a/mdop/dart-v8/dart-80-planning-checklist-dart-8.md
+++ b/mdop/dart-v8/dart-80-planning-checklist-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/dart-80-privacy-statement-dart-8.md b/mdop/dart-v8/dart-80-privacy-statement-dart-8.md
index 3446e85228..0be261d833 100644
--- a/mdop/dart-v8/dart-80-privacy-statement-dart-8.md
+++ b/mdop/dart-v8/dart-80-privacy-statement-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/dart-80-supported-configurations-dart-8.md b/mdop/dart-v8/dart-80-supported-configurations-dart-8.md
index 1498448738..f659803a79 100644
--- a/mdop/dart-v8/dart-80-supported-configurations-dart-8.md
+++ b/mdop/dart-v8/dart-80-supported-configurations-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/deploying-dart-80-dart-8.md b/mdop/dart-v8/deploying-dart-80-dart-8.md
index 36e9c02d25..c6a3f6f118 100644
--- a/mdop/dart-v8/deploying-dart-80-dart-8.md
+++ b/mdop/dart-v8/deploying-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/deploying-dart-80-to-administrator-computers-dart-8.md b/mdop/dart-v8/deploying-dart-80-to-administrator-computers-dart-8.md
index ecd56e83ee..ddd014d2eb 100644
--- a/mdop/dart-v8/deploying-dart-80-to-administrator-computers-dart-8.md
+++ b/mdop/dart-v8/deploying-dart-80-to-administrator-computers-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md b/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md
index 99ebca995c..c635accd35 100644
--- a/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md
+++ b/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/diagnosing-system-failures-with-crash-analyzer--dart-8.md b/mdop/dart-v8/diagnosing-system-failures-with-crash-analyzer--dart-8.md
index d5e3945dc8..77522cf3fa 100644
--- a/mdop/dart-v8/diagnosing-system-failures-with-crash-analyzer--dart-8.md
+++ b/mdop/dart-v8/diagnosing-system-failures-with-crash-analyzer--dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/getting-started-with-dart-80-dart-8.md b/mdop/dart-v8/getting-started-with-dart-80-dart-8.md
index faa25ee39e..e313b81a37 100644
--- a/mdop/dart-v8/getting-started-with-dart-80-dart-8.md
+++ b/mdop/dart-v8/getting-started-with-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/how-to-change-repair-or-remove-dart-80-dart-8.md b/mdop/dart-v8/how-to-change-repair-or-remove-dart-80-dart-8.md
index 0e90caab1d..6c2e3fb612 100644
--- a/mdop/dart-v8/how-to-change-repair-or-remove-dart-80-dart-8.md
+++ b/mdop/dart-v8/how-to-change-repair-or-remove-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md b/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md
index e31d87e179..f562dc65ba 100644
--- a/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md
+++ b/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md
index a717b3888e..cddcfef5e9 100644
--- a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md
+++ b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md
index c5d594b59c..c84571d02c 100644
--- a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md
+++ b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/how-to-ensure-that-crash-analyzer-can-access-symbol-files.md b/mdop/dart-v8/how-to-ensure-that-crash-analyzer-can-access-symbol-files.md
index afe2d17d1b..dfdfa5bf01 100644
--- a/mdop/dart-v8/how-to-ensure-that-crash-analyzer-can-access-symbol-files.md
+++ b/mdop/dart-v8/how-to-ensure-that-crash-analyzer-can-access-symbol-files.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/how-to-perform-dart-tasks-by-using-powershell-commands-dart-8.md b/mdop/dart-v8/how-to-perform-dart-tasks-by-using-powershell-commands-dart-8.md
index c36fc90c84..c1eb0becc8 100644
--- a/mdop/dart-v8/how-to-perform-dart-tasks-by-using-powershell-commands-dart-8.md
+++ b/mdop/dart-v8/how-to-perform-dart-tasks-by-using-powershell-commands-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md b/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md
index dca11766bc..d4315fa44a 100644
--- a/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md
+++ b/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md b/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md
index 5cf1247cb4..0b4c3efa63 100644
--- a/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md
+++ b/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-8.md b/mdop/dart-v8/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-8.md
index ad3b05cceb..8b0b3c8a8c 100644
--- a/mdop/dart-v8/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-8.md
+++ b/mdop/dart-v8/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-8.md b/mdop/dart-v8/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-8.md
index c50f8d1d66..e3a35791e8 100644
--- a/mdop/dart-v8/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-8.md
+++ b/mdop/dart-v8/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/how-to-use-a-powershell-script-to-create-the-recovery-image-dart-8.md b/mdop/dart-v8/how-to-use-a-powershell-script-to-create-the-recovery-image-dart-8.md
index 34c8202a73..b0a3f41ad7 100644
--- a/mdop/dart-v8/how-to-use-a-powershell-script-to-create-the-recovery-image-dart-8.md
+++ b/mdop/dart-v8/how-to-use-a-powershell-script-to-create-the-recovery-image-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/index.md b/mdop/dart-v8/index.md
index 4f39c5a258..bcee6aaf64 100644
--- a/mdop/dart-v8/index.md
+++ b/mdop/dart-v8/index.md
@@ -1,12 +1,12 @@
---
title: Diagnostics and Recovery Toolset 8 Administrator's Guide
description: Diagnostics and Recovery Toolset 8 Administrator's Guide
-author: jamiejdt
+author: dansimp
ms.assetid: 33685dd7-844f-4864-b504-3ef384ef01de
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 04/19/2017
---
diff --git a/mdop/dart-v8/microsoft-diagnostics-and-recovery-toolset--dart--users-should-use-windows-defender-offline--wdo--for-malware-detection.md b/mdop/dart-v8/microsoft-diagnostics-and-recovery-toolset--dart--users-should-use-windows-defender-offline--wdo--for-malware-detection.md
index 78b6e42da3..f2a4047807 100644
--- a/mdop/dart-v8/microsoft-diagnostics-and-recovery-toolset--dart--users-should-use-windows-defender-offline--wdo--for-malware-detection.md
+++ b/mdop/dart-v8/microsoft-diagnostics-and-recovery-toolset--dart--users-should-use-windows-defender-offline--wdo--for-malware-detection.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/operations-for-dart-80-dart-8.md b/mdop/dart-v8/operations-for-dart-80-dart-8.md
index c495ff0ffd..c71925f264 100644
--- a/mdop/dart-v8/operations-for-dart-80-dart-8.md
+++ b/mdop/dart-v8/operations-for-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md b/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md
index 7cffb8401b..dc1608bbf2 100644
--- a/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md
+++ b/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/planning-for-dart-80-dart-8.md b/mdop/dart-v8/planning-for-dart-80-dart-8.md
index a7ab30d88b..55b249c5e7 100644
--- a/mdop/dart-v8/planning-for-dart-80-dart-8.md
+++ b/mdop/dart-v8/planning-for-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md b/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md
index 4f95c0b2fa..00fe0bfbd8 100644
--- a/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md
+++ b/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md b/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md
index 4acce8e180..3e41f760d4 100644
--- a/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md
+++ b/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/planning-to-deploy-dart-80-dart-8.md b/mdop/dart-v8/planning-to-deploy-dart-80-dart-8.md
index 60c6e5d180..57ade193c4 100644
--- a/mdop/dart-v8/planning-to-deploy-dart-80-dart-8.md
+++ b/mdop/dart-v8/planning-to-deploy-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md b/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md
index 10b50735d0..78ee035cb4 100644
--- a/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md
+++ b/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/release-notes-for-dart-80--dart-8.md b/mdop/dart-v8/release-notes-for-dart-80--dart-8.md
index 7ec6427eb0..a96b501caa 100644
--- a/mdop/dart-v8/release-notes-for-dart-80--dart-8.md
+++ b/mdop/dart-v8/release-notes-for-dart-80--dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/release-notes-for-dart-80-sp1.md b/mdop/dart-v8/release-notes-for-dart-80-sp1.md
index 4807afe2a9..28f2df8b60 100644
--- a/mdop/dart-v8/release-notes-for-dart-80-sp1.md
+++ b/mdop/dart-v8/release-notes-for-dart-80-sp1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/release-notes-for-dart-81.md b/mdop/dart-v8/release-notes-for-dart-81.md
index ed24c12ba0..d1183586b4 100644
--- a/mdop/dart-v8/release-notes-for-dart-81.md
+++ b/mdop/dart-v8/release-notes-for-dart-81.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/security-and-privacy-for-dart-80-dart-8.md b/mdop/dart-v8/security-and-privacy-for-dart-80-dart-8.md
index 2cfe65b9fa..f6a05dbbaf 100644
--- a/mdop/dart-v8/security-and-privacy-for-dart-80-dart-8.md
+++ b/mdop/dart-v8/security-and-privacy-for-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/security-considerations-for-dart-80--dart-8.md b/mdop/dart-v8/security-considerations-for-dart-80--dart-8.md
index c89debf994..716e3ed33f 100644
--- a/mdop/dart-v8/security-considerations-for-dart-80--dart-8.md
+++ b/mdop/dart-v8/security-considerations-for-dart-80--dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md b/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md
index 98189c70c5..1084a0fc4e 100644
--- a/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md
+++ b/mdop/dart-v8/technical-reference-for-dart-80-new-ia.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/dart-v8/troubleshooting-dart-80-dart-8.md b/mdop/dart-v8/troubleshooting-dart-80-dart-8.md
index d801caa77c..dd64f0665f 100644
--- a/mdop/dart-v8/troubleshooting-dart-80-dart-8.md
+++ b/mdop/dart-v8/troubleshooting-dart-80-dart-8.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop
ms.mktglfcycl: support
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/docfx.json b/mdop/docfx.json
index f825997a00..252c242145 100644
--- a/mdop/docfx.json
+++ b/mdop/docfx.json
@@ -24,7 +24,12 @@
"globalMetadata": {
"breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
- "ms.technology": "mdop",
+ "ms.technology": "windows",
+ "audience": "ITPro",
+ "manager": "dansimp",
+ "ms.prod": "w10",
+ "ms.author": "dansimp",
+ "author": "dansimp",
"ms.sitesec": "library",
"ms.topic": "article",
"ms.date": "04/05/2017",
diff --git a/mdop/index.md b/mdop/index.md
index 78fffc67fd..93ce634a80 100644
--- a/mdop/index.md
+++ b/mdop/index.md
@@ -2,7 +2,7 @@
title: MDOP Information Experience
description: MDOP Information Experience
ms.assetid: 12b8ab56-3267-450d-bb22-1c7e44cb8e52
-author: jamiejdt
+author: dansimp
ms.pagetype: mdop
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/mdop/mbam-v1/about-mbam-10.md b/mdop/mbam-v1/about-mbam-10.md
index 6649ff16d7..de3e35c13d 100644
--- a/mdop/mbam-v1/about-mbam-10.md
+++ b/mdop/mbam-v1/about-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/accessibility-for-mbam-10.md b/mdop/mbam-v1/accessibility-for-mbam-10.md
index 6e772a734a..f360475a2c 100644
--- a/mdop/mbam-v1/accessibility-for-mbam-10.md
+++ b/mdop/mbam-v1/accessibility-for-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/administering-mbam-10-by-using-powershell.md b/mdop/mbam-v1/administering-mbam-10-by-using-powershell.md
index 11d991351f..b9f38f7a3e 100644
--- a/mdop/mbam-v1/administering-mbam-10-by-using-powershell.md
+++ b/mdop/mbam-v1/administering-mbam-10-by-using-powershell.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/administering-mbam-10-features.md b/mdop/mbam-v1/administering-mbam-10-features.md
index 86fabb6cde..26d27aea64 100644
--- a/mdop/mbam-v1/administering-mbam-10-features.md
+++ b/mdop/mbam-v1/administering-mbam-10-features.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/deploying-mbam-10-group-policy-objects.md b/mdop/mbam-v1/deploying-mbam-10-group-policy-objects.md
index c6d78bd71f..f62d25bd4d 100644
--- a/mdop/mbam-v1/deploying-mbam-10-group-policy-objects.md
+++ b/mdop/mbam-v1/deploying-mbam-10-group-policy-objects.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/deploying-mbam-10.md b/mdop/mbam-v1/deploying-mbam-10.md
index 9c54063330..086a3a721d 100644
--- a/mdop/mbam-v1/deploying-mbam-10.md
+++ b/mdop/mbam-v1/deploying-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/deploying-the-mbam-10-client.md b/mdop/mbam-v1/deploying-the-mbam-10-client.md
index 3b9f55c539..df62ed3b09 100644
--- a/mdop/mbam-v1/deploying-the-mbam-10-client.md
+++ b/mdop/mbam-v1/deploying-the-mbam-10-client.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/deploying-the-mbam-10-language-release-update.md b/mdop/mbam-v1/deploying-the-mbam-10-language-release-update.md
index 1cf2e31d54..311a0ba253 100644
--- a/mdop/mbam-v1/deploying-the-mbam-10-language-release-update.md
+++ b/mdop/mbam-v1/deploying-the-mbam-10-language-release-update.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md b/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md
index 55c227b364..e802fbe9a3 100644
--- a/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md
+++ b/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/evaluating-mbam-10.md b/mdop/mbam-v1/evaluating-mbam-10.md
index a610d18cea..c245904370 100644
--- a/mdop/mbam-v1/evaluating-mbam-10.md
+++ b/mdop/mbam-v1/evaluating-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/getting-started-with-mbam-10.md b/mdop/mbam-v1/getting-started-with-mbam-10.md
index b54f281bf6..80cf2a07bf 100644
--- a/mdop/mbam-v1/getting-started-with-mbam-10.md
+++ b/mdop/mbam-v1/getting-started-with-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/high-availability-for-mbam-10.md b/mdop/mbam-v1/high-availability-for-mbam-10.md
index a7f2f2a89a..5817b9955d 100644
--- a/mdop/mbam-v1/high-availability-for-mbam-10.md
+++ b/mdop/mbam-v1/high-availability-for-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/high-level-architecture-for-mbam-10.md b/mdop/mbam-v1/high-level-architecture-for-mbam-10.md
index 73dfbdd35b..d01784a142 100644
--- a/mdop/mbam-v1/high-level-architecture-for-mbam-10.md
+++ b/mdop/mbam-v1/high-level-architecture-for-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md b/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md
index a8ca4fbd5c..9020faa354 100644
--- a/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md
+++ b/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md b/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md
index d76d6481b6..8390876b1e 100644
--- a/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md
+++ b/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md b/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md
index ec94256a72..739b6c100e 100644
--- a/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md
+++ b/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md b/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md
index 1951352a23..9183a1ebb8 100644
--- a/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md
+++ b/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md b/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md
index f7b3f615a5..7b594af29c 100644
--- a/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md
+++ b/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md b/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md
index 62464e8014..2117e28d4f 100644
--- a/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md
+++ b/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel.md b/mdop/mbam-v1/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel.md
index d10014b0d2..dbf5369cc9 100644
--- a/mdop/mbam-v1/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel.md
+++ b/mdop/mbam-v1/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md
index 7761a0065c..178bb1e922 100644
--- a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md
+++ b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md
index 668966c147..8415738e13 100644
--- a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md
+++ b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md b/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md
index ca6defb7b6..9a47bce6c6 100644
--- a/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md
+++ b/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md
index 978349f4d2..40aea24b1a 100644
--- a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md
+++ b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md
index ec68e9b91a..1043c5be7b 100644
--- a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md
+++ b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md b/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md
index 8dcdf2d88f..56b13e75d8 100644
--- a/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md
+++ b/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md b/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md
index f8a0500186..1ed110d24c 100644
--- a/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md
+++ b/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-manage-mbam-administrator-roles-mbam-1.md b/mdop/mbam-v1/how-to-manage-mbam-administrator-roles-mbam-1.md
index 7deb0b2e0a..71eda0e490 100644
--- a/mdop/mbam-v1/how-to-manage-mbam-administrator-roles-mbam-1.md
+++ b/mdop/mbam-v1/how-to-manage-mbam-administrator-roles-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md b/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md
index 02e890969a..6800cc91ac 100644
--- a/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md
+++ b/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md b/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md
index 3116ec7a92..48e9ef2121 100644
--- a/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md
+++ b/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md b/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md
index e0dec01036..8da7ef40e8 100644
--- a/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md
+++ b/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md b/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md
index 4cface3663..4205bfe3db 100644
--- a/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md
+++ b/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md b/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md
index b1d3a350ea..0e4e67dfcd 100644
--- a/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md
+++ b/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md b/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md
index 094d762b26..6425bd6b12 100644
--- a/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md
+++ b/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md b/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md
index bb5ddfe3f6..354f5be7d0 100644
--- a/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md
+++ b/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/index.md b/mdop/mbam-v1/index.md
index f7646af27e..b25186a196 100644
--- a/mdop/mbam-v1/index.md
+++ b/mdop/mbam-v1/index.md
@@ -1,55 +1,45 @@
---
title: Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide
description: Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide
-author: jamiejdt
+author: dansimp
ms.assetid: 4086e721-db24-4439-bdcd-ac5ef901811f
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 04/19/2017
---
-
# Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide
-
Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker drive encryption. With MBAM, you can select BitLocker encryption policy options that are appropriate to your enterprise and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the entire enterprise. In addition, you can access recovery key information when users forget their PIN or password, or when their BIOS or boot record changes.
-[Getting Started with MBAM 1.0](getting-started-with-mbam-10.md)
-
-[About MBAM 1.0](about-mbam-10.md)**|**[Evaluating MBAM 1.0](evaluating-mbam-10.md)**|**[High Level Architecture for MBAM 1.0](high-level-architecture-for-mbam-10.md)**|**[Accessibility for MBAM 1.0](accessibility-for-mbam-10.md)**|**[Privacy Statement for MBAM 1.0](privacy-statement-for-mbam-10.md)
-
-[Planning for MBAM 1.0](planning-for-mbam-10.md)
-
-[Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md)**|**[MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)**|**[Planning to Deploy MBAM 1.0](planning-to-deploy-mbam-10.md)**|**[MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md)**|**[MBAM 1.0 Planning Checklist](mbam-10-planning-checklist.md)
-
-[Deploying MBAM 1.0](deploying-mbam-10.md)
-
-[Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)**|**[Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md)**|**[Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)**|**[Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md)**|**[MBAM 1.0 Deployment Checklist](mbam-10-deployment-checklist.md)
-
-[Operations for MBAM 1.0](operations-for-mbam-10.md)
-
-[Administering MBAM 1.0 Features](administering-mbam-10-features.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md)**|**[Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)**|**[Administering MBAM 1.0 by Using PowerShell](administering-mbam-10-by-using-powershell.md)
-
-[Troubleshooting MBAM 1.0](troubleshooting-mbam-10.md)
-
-### More Information
-
-[Release Notes for MBAM 1.0](release-notes-for-mbam-10.md)
-View updated product information and known issues for MBAM 1.0.
-
-[MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286)
-Learn about the latest MDOP information and resources.
-
-[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
-Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
-
-
-
-
-
-
-
-
+- [Getting Started with MBAM 1.0](getting-started-with-mbam-10.md)
+ - [About MBAM 1.0](about-mbam-10.md)
+ - [Release Notes for MBAM 1.0](release-notes-for-mbam-10.md)
+ - [Evaluating MBAM 1.0](evaluating-mbam-10.md)
+ - [High Level Architecture for MBAM 1.0](high-level-architecture-for-mbam-10.md)
+ - [Accessibility for MBAM 1.0](accessibility-for-mbam-10.md)
+ - [Privacy Statement for MBAM 1.0](privacy-statement-for-mbam-10.md)
+- [Planning for MBAM 1.0](planning-for-mbam-10.md)
+ - [Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md)
+ - [MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)
+ - [Planning to Deploy MBAM 1.0](planning-to-deploy-mbam-10.md)
+ - [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md)
+ - [MBAM 1.0 Planning Checklist](mbam-10-planning-checklist.md)
+- [Deploying MBAM 1.0](deploying-mbam-10.md)
+ - [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)
+ - [Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md)
+ - [Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)
+ - [Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md)
+ - [MBAM 1.0 Deployment Checklist](mbam-10-deployment-checklist.md)
+- [Operations for MBAM 1.0](operations-for-mbam-10.md)
+ - [Administering MBAM 1.0 Features](administering-mbam-10-features.md)
+ - [Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md)
+ - [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)
+ - [Administering MBAM 1.0 by Using PowerShell](administering-mbam-10-by-using-powershell.md)
+- [Troubleshooting MBAM 1.0](troubleshooting-mbam-10.md)
+## More Information
+- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
+ Find documentation, videos, and other resources for MDOP technologies.
diff --git a/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md b/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md
index 2bc9d1d30a..152ae6db90 100644
--- a/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md
+++ b/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/maintaining-mbam-10.md b/mdop/mbam-v1/maintaining-mbam-10.md
index 38d6ea5192..6cdfa7c140 100644
--- a/mdop/mbam-v1/maintaining-mbam-10.md
+++ b/mdop/mbam-v1/maintaining-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/mbam-10-deployment-checklist.md b/mdop/mbam-v1/mbam-10-deployment-checklist.md
index 24865d56ec..98918bcd19 100644
--- a/mdop/mbam-v1/mbam-10-deployment-checklist.md
+++ b/mdop/mbam-v1/mbam-10-deployment-checklist.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/mbam-10-deployment-prerequisites.md b/mdop/mbam-v1/mbam-10-deployment-prerequisites.md
index 700410a63d..efefe73d4b 100644
--- a/mdop/mbam-v1/mbam-10-deployment-prerequisites.md
+++ b/mdop/mbam-v1/mbam-10-deployment-prerequisites.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/mbam-10-planning-checklist.md b/mdop/mbam-v1/mbam-10-planning-checklist.md
index 97e5d82a85..f2ca3f0e3a 100644
--- a/mdop/mbam-v1/mbam-10-planning-checklist.md
+++ b/mdop/mbam-v1/mbam-10-planning-checklist.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/mbam-10-supported-configurations.md b/mdop/mbam-v1/mbam-10-supported-configurations.md
index b15e8336ad..71a4d85992 100644
--- a/mdop/mbam-v1/mbam-10-supported-configurations.md
+++ b/mdop/mbam-v1/mbam-10-supported-configurations.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md b/mdop/mbam-v1/monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md
index 35db4e0f57..e01d92edeb 100644
--- a/mdop/mbam-v1/monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md
+++ b/mdop/mbam-v1/monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/operations-for-mbam-10.md b/mdop/mbam-v1/operations-for-mbam-10.md
index 4f6a0e333e..2c21229603 100644
--- a/mdop/mbam-v1/operations-for-mbam-10.md
+++ b/mdop/mbam-v1/operations-for-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/performing-bitlocker-management-with-mbam.md b/mdop/mbam-v1/performing-bitlocker-management-with-mbam.md
index 0efb74fc83..466a1cc867 100644
--- a/mdop/mbam-v1/performing-bitlocker-management-with-mbam.md
+++ b/mdop/mbam-v1/performing-bitlocker-management-with-mbam.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md b/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md
index cd65628a24..14a19f6fde 100644
--- a/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md
+++ b/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -19,7 +19,7 @@ ms.date: 06/16/2016
This topic includes and describes the administrator roles that are available in Microsoft BitLocker Administration and Monitoring (MBAM), as well as the server locations where the local groups are created.
-## MBAM Administrator roles
+## MBAM Administrator roles
**MBAM System Administrators**
diff --git a/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md b/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md
index c493b0b251..2820bf86ad 100644
--- a/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md
+++ b/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md b/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md
index eb5ac48c44..ce78024608 100644
--- a/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md
+++ b/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -141,7 +141,7 @@ This section describes the Client Management policy definitions for MBAM, found
-## Fixed Drive policy definitions
+## Fixed Drive policy definitions
This section describes the Fixed Drive policy definitions for MBAM, which can be found at the following GPO node: **Computer Configuration**\\**Administrative Templates**\\**Windows Components**\\**MDOP MBAM (BitLocker Management)** \\ **Fixed Drive**.
diff --git a/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md b/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md
index f8a81e0385..e3fd8e1f24 100644
--- a/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md
+++ b/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/planning-for-mbam-10.md b/mdop/mbam-v1/planning-for-mbam-10.md
index d962c67909..633e4048d0 100644
--- a/mdop/mbam-v1/planning-for-mbam-10.md
+++ b/mdop/mbam-v1/planning-for-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/planning-to-deploy-mbam-10.md b/mdop/mbam-v1/planning-to-deploy-mbam-10.md
index 82f073a30e..0fe94548e9 100644
--- a/mdop/mbam-v1/planning-to-deploy-mbam-10.md
+++ b/mdop/mbam-v1/planning-to-deploy-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md b/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md
index c1751b7247..796672f8b3 100644
--- a/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md
+++ b/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/privacy-statement-for-mbam-10.md b/mdop/mbam-v1/privacy-statement-for-mbam-10.md
index cbb1202f49..53d2f37793 100644
--- a/mdop/mbam-v1/privacy-statement-for-mbam-10.md
+++ b/mdop/mbam-v1/privacy-statement-for-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/release-notes-for-mbam-10.md b/mdop/mbam-v1/release-notes-for-mbam-10.md
index aec1c1dab8..9b9be836c6 100644
--- a/mdop/mbam-v1/release-notes-for-mbam-10.md
+++ b/mdop/mbam-v1/release-notes-for-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/security-and-privacy-for-mbam-10.md b/mdop/mbam-v1/security-and-privacy-for-mbam-10.md
index 00c9e551f3..9b8209c9d4 100644
--- a/mdop/mbam-v1/security-and-privacy-for-mbam-10.md
+++ b/mdop/mbam-v1/security-and-privacy-for-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v1/security-considerations-for-mbam-10.md b/mdop/mbam-v1/security-considerations-for-mbam-10.md
index 60d75c4b33..bcfe42f061 100644
--- a/mdop/mbam-v1/security-considerations-for-mbam-10.md
+++ b/mdop/mbam-v1/security-considerations-for-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/troubleshooting-mbam-10.md b/mdop/mbam-v1/troubleshooting-mbam-10.md
index 9c07bf41b2..5a72af69f9 100644
--- a/mdop/mbam-v1/troubleshooting-mbam-10.md
+++ b/mdop/mbam-v1/troubleshooting-mbam-10.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md b/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md
index 069c0097c2..e6b066b08a 100644
--- a/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md
+++ b/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/about-mbam-20-mbam-2.md b/mdop/mbam-v2/about-mbam-20-mbam-2.md
index 403d43870d..f12cb7956f 100644
--- a/mdop/mbam-v2/about-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/about-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/about-mbam-20-sp1.md b/mdop/mbam-v2/about-mbam-20-sp1.md
index 8b27fe1388..b5bf6aee5b 100644
--- a/mdop/mbam-v2/about-mbam-20-sp1.md
+++ b/mdop/mbam-v2/about-mbam-20-sp1.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/about-the-computer-tpm-chip.md b/mdop/mbam-v2/about-the-computer-tpm-chip.md
index 8fc5a07b1c..053703ed72 100644
--- a/mdop/mbam-v2/about-the-computer-tpm-chip.md
+++ b/mdop/mbam-v2/about-the-computer-tpm-chip.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md b/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md
index 62803ce9fd..d4ab5fa177 100644
--- a/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md b/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md
index 87e053a66b..8331189deb 100644
--- a/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md
+++ b/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/administering-mbam-20-using-powershell-mbam-2.md b/mdop/mbam-v2/administering-mbam-20-using-powershell-mbam-2.md
index 38ce3f35cf..cd4cc7364f 100644
--- a/mdop/mbam-v2/administering-mbam-20-using-powershell-mbam-2.md
+++ b/mdop/mbam-v2/administering-mbam-20-using-powershell-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
index fbbfcb6384..1ce8e1b6f2 100644
--- a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
+++ b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/04/2017
---
diff --git a/mdop/mbam-v2/deploying-mbam-20-group-policy-objects-mbam-2.md b/mdop/mbam-v2/deploying-mbam-20-group-policy-objects-mbam-2.md
index 01574c06fa..a117c6af21 100644
--- a/mdop/mbam-v2/deploying-mbam-20-group-policy-objects-mbam-2.md
+++ b/mdop/mbam-v2/deploying-mbam-20-group-policy-objects-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/deploying-mbam-20-mbam-2.md b/mdop/mbam-v2/deploying-mbam-20-mbam-2.md
index 4f391c02e0..3123a95e40 100644
--- a/mdop/mbam-v2/deploying-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/deploying-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/deploying-mbam-with-configuration-manager-mbam2.md b/mdop/mbam-v2/deploying-mbam-with-configuration-manager-mbam2.md
index d216401680..b7254c63e3 100644
--- a/mdop/mbam-v2/deploying-mbam-with-configuration-manager-mbam2.md
+++ b/mdop/mbam-v2/deploying-mbam-with-configuration-manager-mbam2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/deploying-the-mbam-20-client-mbam-2.md b/mdop/mbam-v2/deploying-the-mbam-20-client-mbam-2.md
index c9857d854e..ab113f1153 100644
--- a/mdop/mbam-v2/deploying-the-mbam-20-client-mbam-2.md
+++ b/mdop/mbam-v2/deploying-the-mbam-20-client-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/deploying-the-mbam-20-server-infrastructure-mbam-2.md b/mdop/mbam-v2/deploying-the-mbam-20-server-infrastructure-mbam-2.md
index 32a1b563d5..1b8e0bec49 100644
--- a/mdop/mbam-v2/deploying-the-mbam-20-server-infrastructure-mbam-2.md
+++ b/mdop/mbam-v2/deploying-the-mbam-20-server-infrastructure-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/edit-the-configurationmof-file.md b/mdop/mbam-v2/edit-the-configurationmof-file.md
index e06a21728b..09e536028a 100644
--- a/mdop/mbam-v2/edit-the-configurationmof-file.md
+++ b/mdop/mbam-v2/edit-the-configurationmof-file.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/03/2017
---
diff --git a/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md b/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md
index 4c52ea62b8..6499e380e6 100644
--- a/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md b/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md
index c05335448c..9e4092ead8 100644
--- a/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md
+++ b/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/getting-started-with-mbam-20-mbam-2.md b/mdop/mbam-v2/getting-started-with-mbam-20-mbam-2.md
index e24afb3f59..bfbd547d4b 100644
--- a/mdop/mbam-v2/getting-started-with-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/getting-started-with-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/helping-end-users-manage-bitlocker.md b/mdop/mbam-v2/helping-end-users-manage-bitlocker.md
index 351f43c2ea..72286236c4 100644
--- a/mdop/mbam-v2/helping-end-users-manage-bitlocker.md
+++ b/mdop/mbam-v2/helping-end-users-manage-bitlocker.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/high-availability-for-mbam-20-mbam-2.md b/mdop/mbam-v2/high-availability-for-mbam-20-mbam-2.md
index ccf0d2efd2..21008d0070 100644
--- a/mdop/mbam-v2/high-availability-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/high-availability-for-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md b/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md
index 8e213175cb..105afce636 100644
--- a/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-brand-the-self-service-portal.md b/mdop/mbam-v2/how-to-brand-the-self-service-portal.md
index d50446e82d..fadf286056 100644
--- a/mdop/mbam-v2/how-to-brand-the-self-service-portal.md
+++ b/mdop/mbam-v2/how-to-brand-the-self-service-portal.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-create-or-edit-the-mof-files.md b/mdop/mbam-v2/how-to-create-or-edit-the-mof-files.md
index 5e92294d61..4797ce3bfb 100644
--- a/mdop/mbam-v2/how-to-create-or-edit-the-mof-files.md
+++ b/mdop/mbam-v2/how-to-create-or-edit-the-mof-files.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md b/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md
index 26ec642679..10ff64c8e7 100644
--- a/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md
+++ b/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md b/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md
index cd58d1213c..85cef41291 100644
--- a/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md
+++ b/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md b/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md
index be34c7735b..5d87de60b6 100644
--- a/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md
+++ b/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md b/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md
index 1c4aec51cd..183ffd7a51 100644
--- a/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md
+++ b/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md b/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md
index 7e100cc0b6..8f124cd31e 100644
--- a/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md
+++ b/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel-mbam-2.md b/mdop/mbam-v2/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel-mbam-2.md
index 94480977b1..0371722265 100644
--- a/mdop/mbam-v2/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel-mbam-2.md
+++ b/mdop/mbam-v2/how-to-hide-default-bitlocker-encryption-in-the-windows-control-panel-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md
index db6508b8b3..a9475663df 100644
--- a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md
+++ b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md
index f7c562da25..4a108246e2 100644
--- a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md
+++ b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md b/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md
index a01c49e93e..6ada7f3b2f 100644
--- a/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md
+++ b/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md b/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md
index 44d57820c6..d69f082425 100644
--- a/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md
+++ b/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-manage-mbam-administrator-roles-mbam-2.md b/mdop/mbam-v2/how-to-manage-mbam-administrator-roles-mbam-2.md
index 39812a5a36..8b70578b3a 100644
--- a/mdop/mbam-v2/how-to-manage-mbam-administrator-roles-mbam-2.md
+++ b/mdop/mbam-v2/how-to-manage-mbam-administrator-roles-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-2.md b/mdop/mbam-v2/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-2.md
index e449e25cfc..93609c42c5 100644
--- a/mdop/mbam-v2/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-2.md
+++ b/mdop/mbam-v2/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md b/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md
index f338e9a016..94028e58e1 100644
--- a/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md
+++ b/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md b/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md
index 7888f34d72..bdffa741a7 100644
--- a/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md
+++ b/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md b/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md
index dd4da603f5..47c7f9cf92 100644
--- a/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md
+++ b/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md b/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md
index 433c97297f..3ba78dbcad 100644
--- a/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md
+++ b/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md b/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md
index c562f3e90c..0702c3658e 100644
--- a/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md
+++ b/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md b/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md
index 9736d6ac88..09f2ccc21e 100644
--- a/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md
+++ b/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-client.md b/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-client.md
index 0b67f68365..b9de2465f0 100644
--- a/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-client.md
+++ b/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-client.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md b/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md
index e9c34d8cd9..146fdd3729 100644
--- a/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md
+++ b/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-use-the-help-desk-portal.md b/mdop/mbam-v2/how-to-use-the-help-desk-portal.md
index 285a8e790c..1d863d9452 100644
--- a/mdop/mbam-v2/how-to-use-the-help-desk-portal.md
+++ b/mdop/mbam-v2/how-to-use-the-help-desk-portal.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md b/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md
index 298322fa61..34f203bd9c 100644
--- a/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md
+++ b/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md b/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md
index 06bda1be6f..7c89b836a2 100644
--- a/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md
+++ b/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/index.md b/mdop/mbam-v2/index.md
index 5337db9b65..ba76b06b55 100644
--- a/mdop/mbam-v2/index.md
+++ b/mdop/mbam-v2/index.md
@@ -1,52 +1,56 @@
---
title: Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide
description: Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide
-author: jamiejdt
+author: dansimp
ms.assetid: fdb43f62-960a-4811-8802-50efdf04b4af
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 04/19/2017
---
-
# Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide
-
Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 provides a simplified administrative interface that you can use to manage BitLocker drive encryption. In BitLocker Administration and Monitoring 2.0, you can select BitLocker drive encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes.
-[Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md)
+## Outline
-[About MBAM 2.0](about-mbam-20-mbam-2.md)**|**[Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md)**|**[About MBAM 2.0 SP1](about-mbam-20-sp1.md)**|**[Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md)**|**[Evaluating MBAM 2.0](evaluating-mbam-20-mbam-2.md)**|**[High-Level Architecture for MBAM 2.0](high-level-architecture-for-mbam-20-mbam-2.md)**|**[Accessibility for MBAM 2.0](accessibility-for-mbam-20-mbam-2.md)
+- [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md)
+ - [About MBAM 2.0](about-mbam-20-mbam-2.md)
+ - [Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md)
+ - [About MBAM 2.0 SP1](about-mbam-20-sp1.md)
+ - [Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md)
+ - [Evaluating MBAM 2.0](evaluating-mbam-20-mbam-2.md)
+ - [High-Level Architecture for MBAM 2.0](high-level-architecture-for-mbam-20-mbam-2.md)
+ - [Accessibility for MBAM 2.0](accessibility-for-mbam-20-mbam-2.md)
+- [Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md)
+ - [Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md)
+ - [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)
+ - [Planning to Deploy MBAM 2.0](planning-to-deploy-mbam-20-mbam-2.md)
+ - [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)
+ - [MBAM 2.0 Planning Checklist](mbam-20-planning-checklist-mbam-2.md)
+- [Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md)
+ - [Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)
+ - [Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md)
+ - [Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)
+ - [MBAM 2.0 Deployment Checklist](mbam-20-deployment-checklist-mbam-2.md)
+ - [Upgrading from Previous Versions of MBAM](upgrading-from-previous-versions-of-mbam.md)
+- [Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md)
+ - [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)
+ - [Administering MBAM 2.0 Features](administering-mbam-20-features-mbam-2.md)
+ - [Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md)
+ - [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)
+ - [Maintaining MBAM 2.0](maintaining-mbam-20-mbam-2.md)
+ - [Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md)
+ - [Administering MBAM 2.0 Using PowerShell](administering-mbam-20-using-powershell-mbam-2.md)
+- [Troubleshooting MBAM 2.0](troubleshooting-mbam-20-mbam-2.md)
-[Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md)
+## More Information
-[Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md)**|**[MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)**|**[Planning to Deploy MBAM 2.0](planning-to-deploy-mbam-20-mbam-2.md)**|**[MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)**|**[MBAM 2.0 Planning Checklist](mbam-20-planning-checklist-mbam-2.md)
+- [MDOP Information Experience](index.md)
-[Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md)
-
-[Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)**|**[Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md)**|**[Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)**|**[MBAM 2.0 Deployment Checklist](mbam-20-deployment-checklist-mbam-2.md)**|**[Upgrading from Previous Versions of MBAM](upgrading-from-previous-versions-of-mbam.md)
-
-[Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md)
-
-[Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)**|**[Administering MBAM 2.0 Features](administering-mbam-20-features-mbam-2.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md)**|**[Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)**|**[Maintaining MBAM 2.0](maintaining-mbam-20-mbam-2.md)**|**[Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md)**|** [Administering MBAM 2.0 Using PowerShell](administering-mbam-20-using-powershell-mbam-2.md)
-
-[Troubleshooting MBAM 2.0](troubleshooting-mbam-20-mbam-2.md)
-
-### More Information
-
-- [Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md)
-
- View updated product information and known issues for MBAM 2.0.
-
-- [MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286)
-
- Learn about the latest MDOP information and resources.
-
-- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
-
- Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
+ Find documentation, videos, and other resources for MDOP technologies.
diff --git a/mdop/mbam-v2/maintaining-mbam-20-mbam-2.md b/mdop/mbam-v2/maintaining-mbam-20-mbam-2.md
index 054f13ffd9..382a0458c3 100644
--- a/mdop/mbam-v2/maintaining-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/maintaining-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md b/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md
index a4c029a574..3cdb1e8d9b 100644
--- a/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md b/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md
index 2dab81a1ef..f74d87fc3e 100644
--- a/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md b/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md
index 00ef5df75b..5b07a90aff 100644
--- a/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md b/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md
index cee951bd2f..ca24661fe9 100644
--- a/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md b/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md
index 72c655763d..61fa70e2f9 100644
--- a/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md b/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md
index 403a3d2d2a..926638dfd3 100644
--- a/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md b/mdop/mbam-v2/monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md
index c66f0cea07..d4b80cfd3e 100644
--- a/mdop/mbam-v2/monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/operations-for-mbam-20-mbam-2.md b/mdop/mbam-v2/operations-for-mbam-20-mbam-2.md
index a82ac9a07c..34efacc60e 100644
--- a/mdop/mbam-v2/operations-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/operations-for-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/performing-bitlocker-management-with-mbam-mbam-2.md b/mdop/mbam-v2/performing-bitlocker-management-with-mbam-mbam-2.md
index 218286507e..5c2ed7373f 100644
--- a/mdop/mbam-v2/performing-bitlocker-management-with-mbam-mbam-2.md
+++ b/mdop/mbam-v2/performing-bitlocker-management-with-mbam-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md
index 129b9e694f..092ae557f4 100644
--- a/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md
+++ b/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -19,7 +19,7 @@ ms.date: 06/16/2016
This topic lists and describes the available administrator roles that are available in Microsoft BitLocker Administration and Monitoring (MBAM) as well as the server locations where the local groups are created.
-## MBAM Administrator Roles
+## MBAM Administrator Roles
**MBAM System Administrators**
diff --git a/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md
index b2f00742d9..61c41aee4a 100644
--- a/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md
+++ b/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md
index cb5cb89526..64b9b557da 100644
--- a/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md
+++ b/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -142,7 +142,7 @@ This section describes Client Management policy definitions for Microsoft BitLoc
-## Fixed Drive Policy Definitions
+## Fixed Drive Policy Definitions
This section describes Fixed Drive policy definitions for Microsoft BitLocker Administration and Monitoring found at the following GPO node: **Computer Configuration**\\**Policies**\\**Administrative Templates**\\**Windows Components**\\**MDOP MBAM (BitLocker Management)**\\**Fixed Drive**.
diff --git a/mdop/mbam-v2/planning-for-mbam-20-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-mbam-2.md
index f872aba1de..49f97005ab 100644
--- a/mdop/mbam-v2/planning-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/planning-for-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md
index 65b9bccf65..63dda787ef 100644
--- a/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md
+++ b/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md b/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md
index e825d97948..58205559b9 100644
--- a/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md b/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md
index a125cec907..5a97d7bef6 100644
--- a/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md
+++ b/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md b/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md
index ac91e39c60..726098f4e6 100644
--- a/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: tracyp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md b/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md
index 7cb8d1004c..2bbbd782ed 100644
--- a/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md b/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md
index 003c3164cc..9fb4028a56 100644
--- a/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md
+++ b/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/security-and-privacy-for-mbam-20-mbam-2.md b/mdop/mbam-v2/security-and-privacy-for-mbam-20-mbam-2.md
index 8b5396b89e..0a0a6f60c0 100644
--- a/mdop/mbam-v2/security-and-privacy-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/security-and-privacy-for-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/troubleshooting-mbam-20-mbam-2.md b/mdop/mbam-v2/troubleshooting-mbam-20-mbam-2.md
index 6c66308f9f..7ea7004d1c 100644
--- a/mdop/mbam-v2/troubleshooting-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/troubleshooting-mbam-20-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md b/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md
index a5bd540199..4e367f90d7 100644
--- a/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md
+++ b/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md b/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md
index 731bc11158..4e1f2addc4 100644
--- a/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md
+++ b/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md b/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md
index 7b3884f5c8..ab076703c4 100644
--- a/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md
+++ b/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/using-mbam-with-configuration-manager.md b/mdop/mbam-v2/using-mbam-with-configuration-manager.md
index 065e2ffd49..10be5afa15 100644
--- a/mdop/mbam-v2/using-mbam-with-configuration-manager.md
+++ b/mdop/mbam-v2/using-mbam-with-configuration-manager.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v2/using-your-pin-or-password.md b/mdop/mbam-v2/using-your-pin-or-password.md
index cdf27ed7a0..b2e8471007 100644
--- a/mdop/mbam-v2/using-your-pin-or-password.md
+++ b/mdop/mbam-v2/using-your-pin-or-password.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
index a24a6d32c9..3013d8a294 100644
--- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
@@ -19,7 +19,7 @@ author: shortpatti
This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
-[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=57157)
+[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=58345)
#### Steps to update the MBAM Server for existing MBAM environment
1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features).
diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md
index 9e5c96e03d..e5988391c0 100644
--- a/mdop/mbam-v25/index.md
+++ b/mdop/mbam-v25/index.md
@@ -1,7 +1,7 @@
---
title: Microsoft BitLocker Administration and Monitoring 2.5
description: Microsoft BitLocker Administration and Monitoring 2.5
-author: jamiejdt
+author: dansimp
ms.assetid: fd81d7de-b166-47e8-b6c7-d984830762b6
ms.pagetype: mdop, security
ms.mktglfcycl: manage
@@ -10,67 +10,61 @@ ms.prod: w10
ms.date: 04/19/2017
---
-
# Microsoft BitLocker Administration and Monitoring 2.5
-
Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM, see [About MBAM 2.5](about-mbam-25.md).
-To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049).
+To obtain MBAM, see [How Do I Get MDOP](index.md#how-to-get-mdop).
-[Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
+## Outline
-[About MBAM 2.5](about-mbam-25.md)**|**[Release Notes for MBAM 2.5](release-notes-for-mbam-25.md)**|**[About MBAM 2.5 SP1](about-mbam-25-sp1.md)**|**[Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md)**|**[Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md)**|**[High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)**|**[Accessibility for MBAM 2.5](accessibility-for-mbam-25.md)
+- [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
+ - [About MBAM 2.5](about-mbam-25.md)
+ - [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md)
+ - [About MBAM 2.5 SP1](about-mbam-25-sp1.md)
+ - [Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md)
+ - [Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md)
+ - [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
+ - [Accessibility for MBAM 2.5](accessibility-for-mbam-25.md)
+- [Planning for MBAM 2.5](planning-for-mbam-25.md)
+ - [Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md)
+ - [MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)
+ - [Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md)
+ - [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md)
+ - [Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md)
+ - [Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)
+ - [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
+ - [Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md)
+ - [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md)
+ - [MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md)
+- [Deploying MBAM 2.5](deploying-mbam-25.md)
+ - [Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md)
+ - [Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)
+ - [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)
+ - [MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md)
+ - [Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md)
+ - [Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md)
+- [Operations for MBAM 2.5](operations-for-mbam-25.md)
+ - [Administering MBAM 2.5 Features](administering-mbam-25-features.md)
+ - [Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md)
+ - [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
+ - [Maintaining MBAM 2.5](maintaining-mbam-25.md)
+ - [Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md)
+- [Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md)
+- [Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md)
+ - [Client Event Logs](client-event-logs.md)
+ - [Server Event Logs](server-event-logs.md)
-[Planning for MBAM 2.5](planning-for-mbam-25.md)
-
-[Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md)**|**[MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)**|**[Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md)**|**[Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md)**|**[Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md)**|**[Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)**|**[MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)**|**[Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md)**|**[MBAM 2.5 Security Considerations](mbam-25-security-considerations.md)**|**[MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md)
-
-[Deploying MBAM 2.5](deploying-mbam-25.md)
-
-[Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md)**|**[Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)**|**[Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)**|**[MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md)**|**[Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md)**|**[Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md)
-
-[Operations for MBAM 2.5](operations-for-mbam-25.md)
-
-[Administering MBAM 2.5 Features](administering-mbam-25-features.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md)**|**[Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)**|**[Maintaining MBAM 2.5](maintaining-mbam-25.md)**|**[Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md)
-
-[Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md)
-
-[Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md)
-
-[Client Event Logs](client-event-logs.md)**|**[Server Event Logs](server-event-logs.md)
-
-### More Information
-
-- [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md)
-
- View updated product information and known issues for MBAM 2.5.
-
-- [MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286)
-
- Learn about the latest MDOP information and resources.
-
-- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032)
-
- Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447).
-
-- [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398)
-
- Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method.
-
-- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md)
-
- Guide of how to apply MBAM 2.5 SP1 Server hotfixes
-
-## Got a suggestion for MBAM?
-- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
-- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
-
-
-
+## More Information
+- [MDOP Information Experience](index.md)
+ Find documentation, videos, and other resources for MDOP technologies.
+- [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398)
+ Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method.
+
+- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md)
+ Guide of how to apply MBAM 2.5 SP1 Server hotfixes
diff --git a/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md b/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
index 4c7082ea57..76b918713f 100644
--- a/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
+++ b/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
@@ -90,13 +90,13 @@ If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the rep
10. Browse to the following web services to verify that they load successfully. A page opens to indicate that the service is running, but the page does not display any metadata.
- - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMAdministrationService/AdministrationService.svc
+ - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMAdministrationService/AdministrationService.svc
- - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMUserSupportService/UserSupportService.svc
+ - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMUserSupportService/UserSupportService.svc
- - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMComplianceStatusService/StatusReportingService.svc
+ - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMComplianceStatusService/StatusReportingService.svc
- - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMRecoveryAndHardwareService/CoreService.svc
+ - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMRecoveryAndHardwareService/CoreService.svc
## Validating the MBAM Server deployment with the Configuration Manager Integration topology
diff --git a/mdop/medv-v1/about-med-v-10-sp1.md b/mdop/medv-v1/about-med-v-10-sp1.md
index 56178030f7..f9d3fc4573 100644
--- a/mdop/medv-v1/about-med-v-10-sp1.md
+++ b/mdop/medv-v1/about-med-v-10-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/about-med-v-10.md b/mdop/medv-v1/about-med-v-10.md
index 88acba7244..8a99314de9 100644
--- a/mdop/medv-v1/about-med-v-10.md
+++ b/mdop/medv-v1/about-med-v-10.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/about-this-guidemedv.md b/mdop/medv-v1/about-this-guidemedv.md
index 223ee88fbe..cf20d13c06 100644
--- a/mdop/medv-v1/about-this-guidemedv.md
+++ b/mdop/medv-v1/about-this-guidemedv.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/client-installation-command-line-reference.md b/mdop/medv-v1/client-installation-command-line-reference.md
index 2556d5ec09..44326e2a47 100644
--- a/mdop/medv-v1/client-installation-command-line-reference.md
+++ b/mdop/medv-v1/client-installation-command-line-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/configuring-med-v-for-remote-networks.md b/mdop/medv-v1/configuring-med-v-for-remote-networks.md
index a7a19283f2..cdb27ae2fd 100644
--- a/mdop/medv-v1/configuring-med-v-for-remote-networks.md
+++ b/mdop/medv-v1/configuring-med-v-for-remote-networks.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -53,7 +53,7 @@ When applying new settings, the service must be restarted.
- You can change the IIS authentication scheme to one of the following: BASIC, DIGEST, NTLM, or NEGOTIATE. The default is NEGOTIATE and uses the following entry:
- ``` syntax
+ ```xml
diff --git a/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md b/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md
index 711eae625b..1b03f70a10 100644
--- a/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md
+++ b/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/configuring-med-v-workspace-policies.md b/mdop/medv-v1/configuring-med-v-workspace-policies.md
index d870b70e1c..34784f4a18 100644
--- a/mdop/medv-v1/configuring-med-v-workspace-policies.md
+++ b/mdop/medv-v1/configuring-med-v-workspace-policies.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/creating-a-med-v-image.md b/mdop/medv-v1/creating-a-med-v-image.md
index c784d59836..4b9d3222fb 100644
--- a/mdop/medv-v1/creating-a-med-v-image.md
+++ b/mdop/medv-v1/creating-a-med-v-image.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/creating-a-med-v-workspacemedv-10-sp1.md b/mdop/medv-v1/creating-a-med-v-workspacemedv-10-sp1.md
index 2445b5cb1a..49db131ccf 100644
--- a/mdop/medv-v1/creating-a-med-v-workspacemedv-10-sp1.md
+++ b/mdop/medv-v1/creating-a-med-v-workspacemedv-10-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md b/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md
index d04425394e..c73b1b9457 100644
--- a/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v1/define-the-project-scope.md b/mdop/medv-v1/define-the-project-scope.md
index ad5596df00..2d628bd096 100644
--- a/mdop/medv-v1/define-the-project-scope.md
+++ b/mdop/medv-v1/define-the-project-scope.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md b/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md
index 2002a545dc..52e0292edc 100644
--- a/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md
+++ b/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md b/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md
index e30f9def62..4167d9099f 100644
--- a/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md
+++ b/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/design-the-med-v-image-repositories.md b/mdop/medv-v1/design-the-med-v-image-repositories.md
index 0fd8aa49a6..8302861536 100644
--- a/mdop/medv-v1/design-the-med-v-image-repositories.md
+++ b/mdop/medv-v1/design-the-med-v-image-repositories.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v1/design-the-med-v-server-infrastructure.md b/mdop/medv-v1/design-the-med-v-server-infrastructure.md
index d3869802c5..40536204ff 100644
--- a/mdop/medv-v1/design-the-med-v-server-infrastructure.md
+++ b/mdop/medv-v1/design-the-med-v-server-infrastructure.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md b/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md
index 07a5fcee07..5165183f3c 100644
--- a/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md
+++ b/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/getting-started-with-med-v.md b/mdop/medv-v1/getting-started-with-med-v.md
index 48d652a788..969a8b0a46 100644
--- a/mdop/medv-v1/getting-started-with-med-v.md
+++ b/mdop/medv-v1/getting-started-with-med-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/high-level-architecturemedv.md b/mdop/medv-v1/high-level-architecturemedv.md
index bb6ca22e61..7badb94bbd 100644
--- a/mdop/medv-v1/high-level-architecturemedv.md
+++ b/mdop/medv-v1/high-level-architecturemedv.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md b/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md
index 5940eccaee..5d9bdb7412 100644
--- a/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-apply-network-settings-to-a-med-v-workspace.md b/mdop/medv-v1/how-to-apply-network-settings-to-a-med-v-workspace.md
index 90e54bea2d..4846278e8e 100644
--- a/mdop/medv-v1/how-to-apply-network-settings-to-a-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-apply-network-settings-to-a-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-apply-performance-settings-to-a-med-v-workspace.md b/mdop/medv-v1/how-to-apply-performance-settings-to-a-med-v-workspace.md
index 95f5e5b56d..bb5b64f7e8 100644
--- a/mdop/medv-v1/how-to-apply-performance-settings-to-a-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-apply-performance-settings-to-a-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md b/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md
index 966dd20f1e..197b944570 100644
--- a/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md b/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md
index 0e617603d1..3a7c44c436 100644
--- a/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md
+++ b/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-configure-a-deployment-package.md b/mdop/medv-v1/how-to-configure-a-deployment-package.md
index 191960b228..6d2a5b4f31 100644
--- a/mdop/medv-v1/how-to-configure-a-deployment-package.md
+++ b/mdop/medv-v1/how-to-configure-a-deployment-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md b/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md
index ce0b36eae2..7669269fc7 100644
--- a/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md
+++ b/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-configure-image-pre-staging.md b/mdop/medv-v1/how-to-configure-image-pre-staging.md
index 5d736b92b9..5503edfefa 100644
--- a/mdop/medv-v1/how-to-configure-image-pre-staging.md
+++ b/mdop/medv-v1/how-to-configure-image-pre-staging.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -72,17 +72,17 @@ Image pre-staging is useful only for the initial image download. It is not suppo
**NT AUTHORITY\\Authenticated Users:(OI)(CI)(special access:)**
- ** READ\_CONTROL**
+ **READ\_CONTROL**
- ** SYNCHRONIZE**
+ **SYNCHRONIZE**
- ** FILE\_GENERIC\_READ**
+ **FILE\_GENERIC\_READ**
- ** FILE\_READ\_DATA**
+ **FILE\_READ\_DATA**
- ** FILE\_READ\_EA**
+ **FILE\_READ\_EA**
- ** FILE\_READ\_ATTRIBUTES**
+ **FILE\_READ\_ATTRIBUTES**
**NT AUTHORITY\\SYSTEM:(OI)(CI)F**
diff --git a/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md b/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md
index 91f9055689..5d812e35d6 100644
--- a/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md
+++ b/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-configure-the-image-web-distribution-server.md b/mdop/medv-v1/how-to-configure-the-image-web-distribution-server.md
index 2aca3bc496..3db5f49a03 100644
--- a/mdop/medv-v1/how-to-configure-the-image-web-distribution-server.md
+++ b/mdop/medv-v1/how-to-configure-the-image-web-distribution-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspace.md b/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspace.md
index 6519e09c4a..61a363f290 100644
--- a/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md b/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md
index 938c998f17..aded377291 100644
--- a/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md
+++ b/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md b/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md
index d37e201c72..6bea34fef3 100644
--- a/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md
+++ b/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md b/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md
index 258a58f9b0..463ab388e1 100644
--- a/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md b/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md
index 81edc52790..c63893f150 100644
--- a/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md
+++ b/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-delete-a-med-v-image.md b/mdop/medv-v1/how-to-delete-a-med-v-image.md
index 0167e493e8..02d9bb6115 100644
--- a/mdop/medv-v1/how-to-delete-a-med-v-image.md
+++ b/mdop/medv-v1/how-to-delete-a-med-v-image.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-deploy-a-workspace-imagedeployment-package.md b/mdop/medv-v1/how-to-deploy-a-workspace-imagedeployment-package.md
index 13cf016d4c..d849956376 100644
--- a/mdop/medv-v1/how-to-deploy-a-workspace-imagedeployment-package.md
+++ b/mdop/medv-v1/how-to-deploy-a-workspace-imagedeployment-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-deploy-a-workspace-imageesds.md b/mdop/medv-v1/how-to-deploy-a-workspace-imageesds.md
index a6b40105d0..5eb6dd5c1c 100644
--- a/mdop/medv-v1/how-to-deploy-a-workspace-imageesds.md
+++ b/mdop/medv-v1/how-to-deploy-a-workspace-imageesds.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md b/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md
index 269980cf59..babf8996d1 100644
--- a/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md
+++ b/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-generate-reports-medvv2.md b/mdop/medv-v1/how-to-generate-reports-medvv2.md
index 082e4a4e13..e9219aa508 100644
--- a/mdop/medv-v1/how-to-generate-reports-medvv2.md
+++ b/mdop/medv-v1/how-to-generate-reports-medvv2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-import-and-export-a-policy.md b/mdop/medv-v1/how-to-import-and-export-a-policy.md
index dec165468c..aaa08137dc 100644
--- a/mdop/medv-v1/how-to-import-and-export-a-policy.md
+++ b/mdop/medv-v1/how-to-import-and-export-a-policy.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md b/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md
index e21097b997..16597d58b2 100644
--- a/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md
+++ b/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md b/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md
index e84a2751f0..2ab92353b5 100644
--- a/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md
+++ b/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md b/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md
index 90bf368d23..908b387c82 100644
--- a/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md
+++ b/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-install-med-v-clientesds.md b/mdop/medv-v1/how-to-install-med-v-clientesds.md
index 57a88f7d96..46cf4d5fea 100644
--- a/mdop/medv-v1/how-to-install-med-v-clientesds.md
+++ b/mdop/medv-v1/how-to-install-med-v-clientesds.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-localize-a-med-v-image.md b/mdop/medv-v1/how-to-localize-a-med-v-image.md
index e118ce3dc9..b5f0bdf42a 100644
--- a/mdop/medv-v1/how-to-localize-a-med-v-image.md
+++ b/mdop/medv-v1/how-to-localize-a-med-v-image.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-lock-and-unlock-a-workspace.md b/mdop/medv-v1/how-to-lock-and-unlock-a-workspace.md
index 41bf6a6b2b..e620f98a5e 100644
--- a/mdop/medv-v1/how-to-lock-and-unlock-a-workspace.md
+++ b/mdop/medv-v1/how-to-lock-and-unlock-a-workspace.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-pack-a-med-v-image.md b/mdop/medv-v1/how-to-pack-a-med-v-image.md
index 613b801c36..08ccd86ef5 100644
--- a/mdop/medv-v1/how-to-pack-a-med-v-image.md
+++ b/mdop/medv-v1/how-to-pack-a-med-v-image.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-set-advanced-file-transfer-options.md b/mdop/medv-v1/how-to-set-advanced-file-transfer-options.md
index 755acfb23b..9c9183aebe 100644
--- a/mdop/medv-v1/how-to-set-advanced-file-transfer-options.md
+++ b/mdop/medv-v1/how-to-set-advanced-file-transfer-options.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-set-med-v-workspace-deletion-options.md b/mdop/medv-v1/how-to-set-med-v-workspace-deletion-options.md
index 9971961e86..f06380a126 100644
--- a/mdop/medv-v1/how-to-set-med-v-workspace-deletion-options.md
+++ b/mdop/medv-v1/how-to-set-med-v-workspace-deletion-options.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-set-up-script-actions.md b/mdop/medv-v1/how-to-set-up-script-actions.md
index 674cc2b942..cff5da73d1 100644
--- a/mdop/medv-v1/how-to-set-up-script-actions.md
+++ b/mdop/medv-v1/how-to-set-up-script-actions.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md b/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md
index d1d0b3b653..d77de77862 100644
--- a/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md b/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md
index bd490a205c..491c545b20 100644
--- a/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md
+++ b/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md b/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md
index 20febc9c9a..b765e2f19c 100644
--- a/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-uninstall-med-v-componentsmedvv2.md b/mdop/medv-v1/how-to-uninstall-med-v-componentsmedvv2.md
index d6d2fd0dd2..125a45d5b6 100644
--- a/mdop/medv-v1/how-to-uninstall-med-v-componentsmedvv2.md
+++ b/mdop/medv-v1/how-to-uninstall-med-v-componentsmedvv2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-update-a-med-v-image.md b/mdop/medv-v1/how-to-update-a-med-v-image.md
index bee3310208..742368d6ac 100644
--- a/mdop/medv-v1/how-to-update-a-med-v-image.md
+++ b/mdop/medv-v1/how-to-update-a-med-v-image.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md b/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md
index b0f1a3f4b5..18cf02c554 100644
--- a/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md
+++ b/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-view-med-v-settings-and-general-information.md b/mdop/medv-v1/how-to-view-med-v-settings-and-general-information.md
index bb70d8a60e..cae37d85c9 100644
--- a/mdop/medv-v1/how-to-view-med-v-settings-and-general-information.md
+++ b/mdop/medv-v1/how-to-view-med-v-settings-and-general-information.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/how-to-work-with-reports.md b/mdop/medv-v1/how-to-work-with-reports.md
index 0747b58a0d..d9c80fd178 100644
--- a/mdop/medv-v1/how-to-work-with-reports.md
+++ b/mdop/medv-v1/how-to-work-with-reports.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/identify-the-number-of-med-v-instances.md b/mdop/medv-v1/identify-the-number-of-med-v-instances.md
index 2454991da1..1d78567667 100644
--- a/mdop/medv-v1/identify-the-number-of-med-v-instances.md
+++ b/mdop/medv-v1/identify-the-number-of-med-v-instances.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/index.md b/mdop/medv-v1/index.md
index 807accc058..c056dfeeaf 100644
--- a/mdop/medv-v1/index.md
+++ b/mdop/medv-v1/index.md
@@ -1,12 +1,12 @@
---
title: Microsoft Enterprise Desktop Virtualization Planning, Deployment, and Operations Guide
description: Microsoft Enterprise Desktop Virtualization Planning, Deployment, and Operations Guide
-author: jamiejdt
+author: dansimp
ms.assetid: 7bc3e120-df77-4f4c-bc8e-7aaa4c2a6525
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/installation-and-upgrade-checklists.md b/mdop/medv-v1/installation-and-upgrade-checklists.md
index 48f64681a0..581101261f 100644
--- a/mdop/medv-v1/installation-and-upgrade-checklists.md
+++ b/mdop/medv-v1/installation-and-upgrade-checklists.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/installing-and-configuring-med-v-components.md b/mdop/medv-v1/installing-and-configuring-med-v-components.md
index 2c3191bd46..8128182f05 100644
--- a/mdop/medv-v1/installing-and-configuring-med-v-components.md
+++ b/mdop/medv-v1/installing-and-configuring-med-v-components.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/key-scenarios-for-using-med-v.md b/mdop/medv-v1/key-scenarios-for-using-med-v.md
index 206fbcc8f4..377facde64 100644
--- a/mdop/medv-v1/key-scenarios-for-using-med-v.md
+++ b/mdop/medv-v1/key-scenarios-for-using-med-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/med-v-10-installation-checklist.md b/mdop/medv-v1/med-v-10-installation-checklist.md
index 8e68457769..6e306306a6 100644
--- a/mdop/medv-v1/med-v-10-installation-checklist.md
+++ b/mdop/medv-v1/med-v-10-installation-checklist.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/med-v-10-release-notesmedv-10.md b/mdop/medv-v1/med-v-10-release-notesmedv-10.md
index 993d756655..ba7e8f9ef6 100644
--- a/mdop/medv-v1/med-v-10-release-notesmedv-10.md
+++ b/mdop/medv-v1/med-v-10-release-notesmedv-10.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md b/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md
index a439dfd41e..dce6ffe881 100644
--- a/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md
+++ b/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md b/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md
index 60cd668d0c..6beb4ac562 100644
--- a/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md
+++ b/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md b/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md
index 631070c928..2ae432d713 100644
--- a/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md
+++ b/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md b/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md
index 3d45628fd0..0ad376e710 100644
--- a/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md
+++ b/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/med-v-client-operations.md b/mdop/medv-v1/med-v-client-operations.md
index ecc32946a9..e295ac9750 100644
--- a/mdop/medv-v1/med-v-client-operations.md
+++ b/mdop/medv-v1/med-v-client-operations.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/med-v-client-toolsv2.md b/mdop/medv-v1/med-v-client-toolsv2.md
index 8d763f41b6..a49324c8b9 100644
--- a/mdop/medv-v1/med-v-client-toolsv2.md
+++ b/mdop/medv-v1/med-v-client-toolsv2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/med-v-deployment-and-configuration.md b/mdop/medv-v1/med-v-deployment-and-configuration.md
index 4360637610..38648cf7f4 100644
--- a/mdop/medv-v1/med-v-deployment-and-configuration.md
+++ b/mdop/medv-v1/med-v-deployment-and-configuration.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/med-v-infrastructure-planning-and-design.md b/mdop/medv-v1/med-v-infrastructure-planning-and-design.md
index 6ad5828d2b..a0654e7a12 100644
--- a/mdop/medv-v1/med-v-infrastructure-planning-and-design.md
+++ b/mdop/medv-v1/med-v-infrastructure-planning-and-design.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/med-v-installation-prerequisites.md b/mdop/medv-v1/med-v-installation-prerequisites.md
index ef53525088..08db5ec442 100644
--- a/mdop/medv-v1/med-v-installation-prerequisites.md
+++ b/mdop/medv-v1/med-v-installation-prerequisites.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v1/med-v-operations.md b/mdop/medv-v1/med-v-operations.md
index 4c5bed949c..c76249664e 100644
--- a/mdop/medv-v1/med-v-operations.md
+++ b/mdop/medv-v1/med-v-operations.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/med-v-reporting.md b/mdop/medv-v1/med-v-reporting.md
index 079276d2e5..17674e3619 100644
--- a/mdop/medv-v1/med-v-reporting.md
+++ b/mdop/medv-v1/med-v-reporting.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md b/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md
index e8b68e25fc..1aaecaa5a4 100644
--- a/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md
+++ b/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -32,7 +32,7 @@ You can configure which folders are indexed on the host as part of the Trim Tran
When applying new settings, the service must be restarted.
-``` syntax
+```xml
- %WINDIR%
diff --git a/mdop/medv-v1/overview-of-med-v.md b/mdop/medv-v1/overview-of-med-v.md
index 1630db52bc..0d46bf93a7 100644
--- a/mdop/medv-v1/overview-of-med-v.md
+++ b/mdop/medv-v1/overview-of-med-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/supported-configurationsmedv-orientation.md b/mdop/medv-v1/supported-configurationsmedv-orientation.md
index f05c6462b7..c66ad41ec2 100644
--- a/mdop/medv-v1/supported-configurationsmedv-orientation.md
+++ b/mdop/medv-v1/supported-configurationsmedv-orientation.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/technical-referencemedv-10-sp1.md b/mdop/medv-v1/technical-referencemedv-10-sp1.md
index aaaad698a3..77b1fc1045 100644
--- a/mdop/medv-v1/technical-referencemedv-10-sp1.md
+++ b/mdop/medv-v1/technical-referencemedv-10-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/troubleshooting-med-v.md b/mdop/medv-v1/troubleshooting-med-v.md
index 60afd6e0d8..52b110ec3b 100644
--- a/mdop/medv-v1/troubleshooting-med-v.md
+++ b/mdop/medv-v1/troubleshooting-med-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/updating-a-med-v-workspace-image.md b/mdop/medv-v1/updating-a-med-v-workspace-image.md
index f5095643c7..c030f2922c 100644
--- a/mdop/medv-v1/updating-a-med-v-workspace-image.md
+++ b/mdop/medv-v1/updating-a-med-v-workspace-image.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v1/using-the-med-v-management-console-user-interface.md b/mdop/medv-v1/using-the-med-v-management-console-user-interface.md
index 9fc4f72eb1..58bf527214 100644
--- a/mdop/medv-v1/using-the-med-v-management-console-user-interface.md
+++ b/mdop/medv-v1/using-the-med-v-management-console-user-interface.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/about-med-v-20.md b/mdop/medv-v2/about-med-v-20.md
index d93dfacd2d..dd2c32be10 100644
--- a/mdop/medv-v2/about-med-v-20.md
+++ b/mdop/medv-v2/about-med-v-20.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/authentication-of-med-v-end-users.md b/mdop/medv-v2/authentication-of-med-v-end-users.md
index b9265d581c..843a257c5b 100644
--- a/mdop/medv-v2/authentication-of-med-v-end-users.md
+++ b/mdop/medv-v2/authentication-of-med-v-end-users.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/command-line-options-for-med-v-installation-files.md b/mdop/medv-v2/command-line-options-for-med-v-installation-files.md
index 414a684521..f6e9a21158 100644
--- a/mdop/medv-v2/command-line-options-for-med-v-installation-files.md
+++ b/mdop/medv-v2/command-line-options-for-med-v-installation-files.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md b/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md
index 42d933514a..66fc177330 100644
--- a/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md
+++ b/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/configure-environment-prerequisites.md b/mdop/medv-v2/configure-environment-prerequisites.md
index 23fec1d335..061ec06592 100644
--- a/mdop/medv-v2/configure-environment-prerequisites.md
+++ b/mdop/medv-v2/configure-environment-prerequisites.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/configure-installation-prerequisites.md b/mdop/medv-v2/configure-installation-prerequisites.md
index 04885dd2fb..efb17dc81e 100644
--- a/mdop/medv-v2/configure-installation-prerequisites.md
+++ b/mdop/medv-v2/configure-installation-prerequisites.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
index 2bae530b8d..90b935ecef 100644
--- a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 11/01/2016
---
diff --git a/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md b/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md
index 2cd2f9a102..83a07e743e 100644
--- a/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md
+++ b/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/create-a-med-v-workspace-package.md b/mdop/medv-v2/create-a-med-v-workspace-package.md
index 7dac2edf43..0409a20532 100644
--- a/mdop/medv-v2/create-a-med-v-workspace-package.md
+++ b/mdop/medv-v2/create-a-med-v-workspace-package.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md b/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
index b3ff8ab2d9..a4506e27a5 100644
--- a/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/define-and-plan-your-med-v-deployment.md b/mdop/medv-v2/define-and-plan-your-med-v-deployment.md
index 0b0e1a18e9..ae00fa5f9f 100644
--- a/mdop/medv-v2/define-and-plan-your-med-v-deployment.md
+++ b/mdop/medv-v2/define-and-plan-your-med-v-deployment.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/deploy-the-med-v-components.md b/mdop/medv-v2/deploy-the-med-v-components.md
index 607d552f9d..13bcf6dbf1 100644
--- a/mdop/medv-v2/deploy-the-med-v-components.md
+++ b/mdop/medv-v2/deploy-the-med-v-components.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/deploying-the-med-v-workspace-package.md b/mdop/medv-v2/deploying-the-med-v-workspace-package.md
index 5296ed863d..d7c6ce9753 100644
--- a/mdop/medv-v2/deploying-the-med-v-workspace-package.md
+++ b/mdop/medv-v2/deploying-the-med-v-workspace-package.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/deployment-of-med-v.md b/mdop/medv-v2/deployment-of-med-v.md
index 9bd5ad5ee3..9681fb0717 100644
--- a/mdop/medv-v2/deployment-of-med-v.md
+++ b/mdop/medv-v2/deployment-of-med-v.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/deployment-troubleshooting.md b/mdop/medv-v2/deployment-troubleshooting.md
index 3556aa5667..551edaa3e3 100644
--- a/mdop/medv-v2/deployment-troubleshooting.md
+++ b/mdop/medv-v2/deployment-troubleshooting.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md b/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md
index f8f174a569..da66303d5f 100644
--- a/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md
+++ b/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/determining-how-med-v-will-be-deployed.md b/mdop/medv-v2/determining-how-med-v-will-be-deployed.md
index 84034b795d..7750f6a2bb 100644
--- a/mdop/medv-v2/determining-how-med-v-will-be-deployed.md
+++ b/mdop/medv-v2/determining-how-med-v-will-be-deployed.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/end-to-end-deployment-scenario-for-med-v-20.md b/mdop/medv-v2/end-to-end-deployment-scenario-for-med-v-20.md
index 1b2a195147..3856ccbf80 100644
--- a/mdop/medv-v2/end-to-end-deployment-scenario-for-med-v-20.md
+++ b/mdop/medv-v2/end-to-end-deployment-scenario-for-med-v-20.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/end-to-end-operations-scenario-for-med-v-20.md b/mdop/medv-v2/end-to-end-operations-scenario-for-med-v-20.md
index 508bff53d9..67d3cefef5 100644
--- a/mdop/medv-v2/end-to-end-operations-scenario-for-med-v-20.md
+++ b/mdop/medv-v2/end-to-end-operations-scenario-for-med-v-20.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/end-to-end-planning-scenario-for-med-v-20.md b/mdop/medv-v2/end-to-end-planning-scenario-for-med-v-20.md
index fb7cb8a0c5..679b4bb74d 100644
--- a/mdop/medv-v2/end-to-end-planning-scenario-for-med-v-20.md
+++ b/mdop/medv-v2/end-to-end-planning-scenario-for-med-v-20.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/example-med-v-checklists.md b/mdop/medv-v2/example-med-v-checklists.md
index 9f0a743c5f..8779d34476 100644
--- a/mdop/medv-v2/example-med-v-checklists.md
+++ b/mdop/medv-v2/example-med-v-checklists.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/example-med-v-environment-planning-checklist.md b/mdop/medv-v2/example-med-v-environment-planning-checklist.md
index 4a91991ac1..5901becc57 100644
--- a/mdop/medv-v2/example-med-v-environment-planning-checklist.md
+++ b/mdop/medv-v2/example-med-v-environment-planning-checklist.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/example-med-v-image-preparation-checklist.md b/mdop/medv-v2/example-med-v-image-preparation-checklist.md
index d1ddce73d0..99b5c5de4c 100644
--- a/mdop/medv-v2/example-med-v-image-preparation-checklist.md
+++ b/mdop/medv-v2/example-med-v-image-preparation-checklist.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/example-med-v-project-planning-checklist.md b/mdop/medv-v2/example-med-v-project-planning-checklist.md
index b0a5d1d39b..20208fccd3 100644
--- a/mdop/medv-v2/example-med-v-project-planning-checklist.md
+++ b/mdop/medv-v2/example-med-v-project-planning-checklist.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/example-med-v-system-installation-checklist.md b/mdop/medv-v2/example-med-v-system-installation-checklist.md
index de3ca2a590..d61559d1f1 100644
--- a/mdop/medv-v2/example-med-v-system-installation-checklist.md
+++ b/mdop/medv-v2/example-med-v-system-installation-checklist.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md b/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md
index f86a94139f..163025ee77 100644
--- a/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md
+++ b/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/getting-started-with-med-vmedv2.md b/mdop/medv-v2/getting-started-with-med-vmedv2.md
index de6c48b1d5..1515965dfb 100644
--- a/mdop/medv-v2/getting-started-with-med-vmedv2.md
+++ b/mdop/medv-v2/getting-started-with-med-vmedv2.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/high-level-architecturemedv2.md b/mdop/medv-v2/high-level-architecturemedv2.md
index a5adeabb7e..6f60819758 100644
--- a/mdop/medv-v2/high-level-architecturemedv2.md
+++ b/mdop/medv-v2/high-level-architecturemedv2.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
index 0821577e21..0140b859a5 100644
--- a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
+++ b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 11/01/2016
---
diff --git a/mdop/medv-v2/how-to-create-a-test-environment.md b/mdop/medv-v2/how-to-create-a-test-environment.md
index 18068b07ed..a7dbfca85a 100644
--- a/mdop/medv-v2/how-to-create-a-test-environment.md
+++ b/mdop/medv-v2/how-to-create-a-test-environment.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md
index 550099841d..9c0bc61d68 100644
--- a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md
+++ b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md
index da44b5f136..6dcc4e29de 100644
--- a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md
+++ b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
index 7d9e7b0536..ce2798f0eb 100644
--- a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
index 9271b1face..4daa663cad 100644
--- a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 11/01/2016
---
diff --git a/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md b/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md
index 581db9047a..3255998810 100644
--- a/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md
+++ b/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md b/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md
index b933cc1510..8085afe33e 100644
--- a/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md
+++ b/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md b/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md
index a8214e0d7a..e53fe97cee 100644
--- a/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md
+++ b/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md b/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md
index 5708a84057..e0a740c3ec 100644
--- a/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md
+++ b/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/how-to-test-application-publishing.md b/mdop/medv-v2/how-to-test-application-publishing.md
index 0e21fda4c9..aceb82dbf6 100644
--- a/mdop/medv-v2/how-to-test-application-publishing.md
+++ b/mdop/medv-v2/how-to-test-application-publishing.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 11/01/2016
---
diff --git a/mdop/medv-v2/how-to-test-url-redirection.md b/mdop/medv-v2/how-to-test-url-redirection.md
index e003cb9d88..be02f53d3e 100644
--- a/mdop/medv-v2/how-to-test-url-redirection.md
+++ b/mdop/medv-v2/how-to-test-url-redirection.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 11/01/2016
---
diff --git a/mdop/medv-v2/how-to-uninstall-the-med-v-components.md b/mdop/medv-v2/how-to-uninstall-the-med-v-components.md
index 9a514186e2..b937152091 100644
--- a/mdop/medv-v2/how-to-uninstall-the-med-v-components.md
+++ b/mdop/medv-v2/how-to-uninstall-the-med-v-components.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/how-to-verify-first-time-setup-settings.md b/mdop/medv-v2/how-to-verify-first-time-setup-settings.md
index e7f28b9e80..c7e07d9a20 100644
--- a/mdop/medv-v2/how-to-verify-first-time-setup-settings.md
+++ b/mdop/medv-v2/how-to-verify-first-time-setup-settings.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md b/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md
index 99eeb385f5..a8ab87367d 100644
--- a/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md
+++ b/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/index.md b/mdop/medv-v2/index.md
index 5c86cb32d1..aa6fcbf448 100644
--- a/mdop/medv-v2/index.md
+++ b/mdop/medv-v2/index.md
@@ -1,12 +1,12 @@
---
title: Microsoft Enterprise Desktop Virtualization 2.0
description: Microsoft Enterprise Desktop Virtualization 2.0
-author: jamiejdt
+author: dansimp
ms.assetid: 84109be0-4613-42e9-85fc-fcda8de6e4c4
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md b/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md
index 6a9fb7c44b..e8ceecb9a4 100644
--- a/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md
+++ b/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md b/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md
index fc9d0a46a6..250f5c9b1d 100644
--- a/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md
+++ b/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/manage-med-v-url-redirection.md b/mdop/medv-v2/manage-med-v-url-redirection.md
index d55c3d0b60..f14da219a0 100644
--- a/mdop/medv-v2/manage-med-v-url-redirection.md
+++ b/mdop/medv-v2/manage-med-v-url-redirection.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/manage-med-v-workspace-applications.md b/mdop/medv-v2/manage-med-v-workspace-applications.md
index 59211673e6..f7038cbe03 100644
--- a/mdop/medv-v2/manage-med-v-workspace-applications.md
+++ b/mdop/medv-v2/manage-med-v-workspace-applications.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/manage-med-v-workspace-settings.md b/mdop/medv-v2/manage-med-v-workspace-settings.md
index 6161aed548..be8f5b08c0 100644
--- a/mdop/medv-v2/manage-med-v-workspace-settings.md
+++ b/mdop/medv-v2/manage-med-v-workspace-settings.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/managing-applications-deployed-to-med-v-workspaces.md b/mdop/medv-v2/managing-applications-deployed-to-med-v-workspaces.md
index 7d71f89c65..d89ba616c8 100644
--- a/mdop/medv-v2/managing-applications-deployed-to-med-v-workspaces.md
+++ b/mdop/medv-v2/managing-applications-deployed-to-med-v-workspaces.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md b/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md
index ccc7f402df..1c1d68922c 100644
--- a/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md
+++ b/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md b/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md
index c9a2d28a4c..4277a3ed48 100644
--- a/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md
+++ b/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md
index 4ceab3afe3..58f9226ff5 100644
--- a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md
+++ b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md
index f82ac07a75..34e986503c 100644
--- a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md
+++ b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md b/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md
index cf173e2d6d..66e002ef70 100644
--- a/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md
+++ b/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md b/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md
index 4dd09c0751..94e6dc437e 100644
--- a/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md
+++ b/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/med-v-20-best-practices.md b/mdop/medv-v2/med-v-20-best-practices.md
index e402342e9f..6d2adae7e4 100644
--- a/mdop/medv-v2/med-v-20-best-practices.md
+++ b/mdop/medv-v2/med-v-20-best-practices.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/med-v-20-deployment-overview.md b/mdop/medv-v2/med-v-20-deployment-overview.md
index eb8d227f1d..aecc8e0691 100644
--- a/mdop/medv-v2/med-v-20-deployment-overview.md
+++ b/mdop/medv-v2/med-v-20-deployment-overview.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/med-v-20-release-notes.md b/mdop/medv-v2/med-v-20-release-notes.md
index 51c9d5c1c7..959cff985c 100644
--- a/mdop/medv-v2/med-v-20-release-notes.md
+++ b/mdop/medv-v2/med-v-20-release-notes.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/med-v-20-supported-configurations.md b/mdop/medv-v2/med-v-20-supported-configurations.md
index f3b1110fd8..082fdcce21 100644
--- a/mdop/medv-v2/med-v-20-supported-configurations.md
+++ b/mdop/medv-v2/med-v-20-supported-configurations.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/med-v-event-log-messages.md b/mdop/medv-v2/med-v-event-log-messages.md
index 0eaa2bebad..337ce6e33e 100644
--- a/mdop/medv-v2/med-v-event-log-messages.md
+++ b/mdop/medv-v2/med-v-event-log-messages.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/monitor-med-v-workspaces.md b/mdop/medv-v2/monitor-med-v-workspaces.md
index f2c3f0b9f9..39790987a2 100644
--- a/mdop/medv-v2/monitor-med-v-workspaces.md
+++ b/mdop/medv-v2/monitor-med-v-workspaces.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/monitoring-med-v-workspace-deployments.md b/mdop/medv-v2/monitoring-med-v-workspace-deployments.md
index 13c103bc84..5622eb9a9b 100644
--- a/mdop/medv-v2/monitoring-med-v-workspace-deployments.md
+++ b/mdop/medv-v2/monitoring-med-v-workspace-deployments.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/operations-for-med-v.md b/mdop/medv-v2/operations-for-med-v.md
index adce3aa597..584edcd307 100644
--- a/mdop/medv-v2/operations-for-med-v.md
+++ b/mdop/medv-v2/operations-for-med-v.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/operations-troubleshooting-medv2.md b/mdop/medv-v2/operations-troubleshooting-medv2.md
index e32475aae0..a47f2e1541 100644
--- a/mdop/medv-v2/operations-troubleshooting-medv2.md
+++ b/mdop/medv-v2/operations-troubleshooting-medv2.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/overview-of-med-vmedv2.md b/mdop/medv-v2/overview-of-med-vmedv2.md
index 41fe819b84..8682b653fc 100644
--- a/mdop/medv-v2/overview-of-med-vmedv2.md
+++ b/mdop/medv-v2/overview-of-med-vmedv2.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/planning-for-application-operating-system-compatibility.md b/mdop/medv-v2/planning-for-application-operating-system-compatibility.md
index d45cb683cb..c542d50527 100644
--- a/mdop/medv-v2/planning-for-application-operating-system-compatibility.md
+++ b/mdop/medv-v2/planning-for-application-operating-system-compatibility.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/planning-for-med-v.md b/mdop/medv-v2/planning-for-med-v.md
index 9d40fa4ef6..ae3cd69ad0 100644
--- a/mdop/medv-v2/planning-for-med-v.md
+++ b/mdop/medv-v2/planning-for-med-v.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/prepare-a-med-v-image.md b/mdop/medv-v2/prepare-a-med-v-image.md
index 2796dbedaa..da36437444 100644
--- a/mdop/medv-v2/prepare-a-med-v-image.md
+++ b/mdop/medv-v2/prepare-a-med-v-image.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/prepare-the-deployment-environment-for-med-v.md b/mdop/medv-v2/prepare-the-deployment-environment-for-med-v.md
index 7eb0e906c5..1ed2801a3b 100644
--- a/mdop/medv-v2/prepare-the-deployment-environment-for-med-v.md
+++ b/mdop/medv-v2/prepare-the-deployment-environment-for-med-v.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md b/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md
index 4a1f38168d..1127851da2 100644
--- a/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md
+++ b/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/security-and-protection-for-med-v.md b/mdop/medv-v2/security-and-protection-for-med-v.md
index c05c03ed27..d4ccad2f97 100644
--- a/mdop/medv-v2/security-and-protection-for-med-v.md
+++ b/mdop/medv-v2/security-and-protection-for-med-v.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/security-best-practices-for-med-v-operations.md b/mdop/medv-v2/security-best-practices-for-med-v-operations.md
index fa5a61b526..bd23d54f15 100644
--- a/mdop/medv-v2/security-best-practices-for-med-v-operations.md
+++ b/mdop/medv-v2/security-best-practices-for-med-v-operations.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/technical-reference-for-med-v.md b/mdop/medv-v2/technical-reference-for-med-v.md
index b273ebdd42..e9f819cd55 100644
--- a/mdop/medv-v2/technical-reference-for-med-v.md
+++ b/mdop/medv-v2/technical-reference-for-med-v.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/medv-v2/test-and-deploy-the-med-v-workspace-package.md b/mdop/medv-v2/test-and-deploy-the-med-v-workspace-package.md
index d8d48b7fc4..1997d4910d 100644
--- a/mdop/medv-v2/test-and-deploy-the-med-v-workspace-package.md
+++ b/mdop/medv-v2/test-and-deploy-the-med-v-workspace-package.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/testing-the-med-v-workspace-package.md b/mdop/medv-v2/testing-the-med-v-workspace-package.md
index 4833b54dea..f28b7e1b9b 100644
--- a/mdop/medv-v2/testing-the-med-v-workspace-package.md
+++ b/mdop/medv-v2/testing-the-med-v-workspace-package.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/troubleshooting-med-v-by-using-the-administration-toolkit.md b/mdop/medv-v2/troubleshooting-med-v-by-using-the-administration-toolkit.md
index 9eec10ced2..737042b22b 100644
--- a/mdop/medv-v2/troubleshooting-med-v-by-using-the-administration-toolkit.md
+++ b/mdop/medv-v2/troubleshooting-med-v-by-using-the-administration-toolkit.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/troubleshooting-med-vmedv2.md b/mdop/medv-v2/troubleshooting-med-vmedv2.md
index 68e73550f9..0418c22024 100644
--- a/mdop/medv-v2/troubleshooting-med-vmedv2.md
+++ b/mdop/medv-v2/troubleshooting-med-vmedv2.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/updating-med-v-20.md b/mdop/medv-v2/updating-med-v-20.md
index 7d18165a6a..5b5c16d8a6 100644
--- a/mdop/medv-v2/updating-med-v-20.md
+++ b/mdop/medv-v2/updating-med-v-20.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/viewing-and-configuring-med-v-logs.md b/mdop/medv-v2/viewing-and-configuring-med-v-logs.md
index 831ec64b9b..e0444fb438 100644
--- a/mdop/medv-v2/viewing-and-configuring-med-v-logs.md
+++ b/mdop/medv-v2/viewing-and-configuring-med-v-logs.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/viewing-med-v-workspace-configurations.md b/mdop/medv-v2/viewing-med-v-workspace-configurations.md
index 8f95dc130d..8df18d9a30 100644
--- a/mdop/medv-v2/viewing-med-v-workspace-configurations.md
+++ b/mdop/medv-v2/viewing-med-v-workspace-configurations.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/whats-new-in-med-v-20.md b/mdop/medv-v2/whats-new-in-med-v-20.md
index 2068ac978f..70f277ff9c 100644
--- a/mdop/medv-v2/whats-new-in-med-v-20.md
+++ b/mdop/medv-v2/whats-new-in-med-v-20.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md b/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md
index 6b98064476..2d91d0e163 100644
--- a/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md
+++ b/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w7
+ms.prod: w10
ms.date: 04/28/2017
---
diff --git a/mdop/solutions/application-publishing-and-client-interaction-for-app-v-5-solutions.md b/mdop/solutions/application-publishing-and-client-interaction-for-app-v-5-solutions.md
index d5e3224942..3f173b9548 100644
--- a/mdop/solutions/application-publishing-and-client-interaction-for-app-v-5-solutions.md
+++ b/mdop/solutions/application-publishing-and-client-interaction-for-app-v-5-solutions.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md b/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md
index b2c6ffe718..747c14c3de 100644
--- a/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md
+++ b/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
index 080458ef89..bd1795d759 100644
--- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
+++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/15/2018
---
diff --git a/mdop/solutions/index.md b/mdop/solutions/index.md
index 6183633995..20c7e2da8e 100644
--- a/mdop/solutions/index.md
+++ b/mdop/solutions/index.md
@@ -1,12 +1,12 @@
---
title: MDOP Solutions and Scenarios
description: MDOP Solutions and Scenarios
-author: jamiejdt
+author: dansimp
ms.assetid: 1cb18bef-fbae-4e96-a4f1-90cf111c3b5f
ms.pagetype: mdop
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/solutions/virtualizing-microsoft-office-2010-for-application-virtualization--app-v--50-solutions.md b/mdop/solutions/virtualizing-microsoft-office-2010-for-application-virtualization--app-v--50-solutions.md
index 29150aab71..87a025ba59 100644
--- a/mdop/solutions/virtualizing-microsoft-office-2010-for-application-virtualization--app-v--50-solutions.md
+++ b/mdop/solutions/virtualizing-microsoft-office-2010-for-application-virtualization--app-v--50-solutions.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md b/mdop/solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md
index 1bafd39be8..33f773621c 100644
--- a/mdop/solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md
+++ b/mdop/solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md b/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md
index ddac76e38c..b9209ac16f 100644
--- a/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md
+++ b/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/about-user-experience-virtualization-10.md b/mdop/uev-v1/about-user-experience-virtualization-10.md
index 14b915317b..9fa34927b9 100644
--- a/mdop/uev-v1/about-user-experience-virtualization-10.md
+++ b/mdop/uev-v1/about-user-experience-virtualization-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/accessibility-for-ue-v.md b/mdop/uev-v1/accessibility-for-ue-v.md
index 710364b2ab..79d9e9d678 100644
--- a/mdop/uev-v1/accessibility-for-ue-v.md
+++ b/mdop/uev-v1/accessibility-for-ue-v.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/uev-v1/administering-ue-v-10.md b/mdop/uev-v1/administering-ue-v-10.md
index 2bcd134ade..b5a5d8efb1 100644
--- a/mdop/uev-v1/administering-ue-v-10.md
+++ b/mdop/uev-v1/administering-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/administering-ue-v-with-powershell-and-wmi.md b/mdop/uev-v1/administering-ue-v-with-powershell-and-wmi.md
index 10ce670be1..cd78b0f3d8 100644
--- a/mdop/uev-v1/administering-ue-v-with-powershell-and-wmi.md
+++ b/mdop/uev-v1/administering-ue-v-with-powershell-and-wmi.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/changing-the-frequency-of-ue-v-scheduled-tasks.md b/mdop/uev-v1/changing-the-frequency-of-ue-v-scheduled-tasks.md
index ab2aa0c2ec..1416e566c1 100644
--- a/mdop/uev-v1/changing-the-frequency-of-ue-v-scheduled-tasks.md
+++ b/mdop/uev-v1/changing-the-frequency-of-ue-v-scheduled-tasks.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/uev-v1/checklist-for-evaluating-line-of-business-applications-for-ue-v-10.md b/mdop/uev-v1/checklist-for-evaluating-line-of-business-applications-for-ue-v-10.md
index 1ca4e1e44a..d41fbb33ce 100644
--- a/mdop/uev-v1/checklist-for-evaluating-line-of-business-applications-for-ue-v-10.md
+++ b/mdop/uev-v1/checklist-for-evaluating-line-of-business-applications-for-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md b/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md
index 4ff6a7f274..1d793732cd 100644
--- a/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md
+++ b/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md b/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md
index 57534783a3..b2fb85109b 100644
--- a/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md
+++ b/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md b/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md
index 7a2b1288e2..8ca6ac6836 100644
--- a/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md
+++ b/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/deploying-the-settings-template-catalog-for-ue-v-10.md b/mdop/uev-v1/deploying-the-settings-template-catalog-for-ue-v-10.md
index c0e408d050..b7aea24dd9 100644
--- a/mdop/uev-v1/deploying-the-settings-template-catalog-for-ue-v-10.md
+++ b/mdop/uev-v1/deploying-the-settings-template-catalog-for-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/deploying-the-ue-v-agent.md b/mdop/uev-v1/deploying-the-ue-v-agent.md
index 80f00c8ff1..9c6b40a75c 100644
--- a/mdop/uev-v1/deploying-the-ue-v-agent.md
+++ b/mdop/uev-v1/deploying-the-ue-v-agent.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/deploying-ue-v-10.md b/mdop/uev-v1/deploying-ue-v-10.md
index 58a93cbff2..9b56dbf52e 100644
--- a/mdop/uev-v1/deploying-ue-v-10.md
+++ b/mdop/uev-v1/deploying-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/deploying-ue-v-settings-location-templates-for-ue-v-10.md b/mdop/uev-v1/deploying-ue-v-settings-location-templates-for-ue-v-10.md
index fe939dc049..9485eeb780 100644
--- a/mdop/uev-v1/deploying-ue-v-settings-location-templates-for-ue-v-10.md
+++ b/mdop/uev-v1/deploying-ue-v-settings-location-templates-for-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/edit-ue-v-settings-location-templates-with-the-ue-v-generator.md b/mdop/uev-v1/edit-ue-v-settings-location-templates-with-the-ue-v-generator.md
index 70fac05e66..169f17d7ed 100644
--- a/mdop/uev-v1/edit-ue-v-settings-location-templates-with-the-ue-v-generator.md
+++ b/mdop/uev-v1/edit-ue-v-settings-location-templates-with-the-ue-v-generator.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md b/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md
index 1d1459418d..88b04b4510 100644
--- a/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md
+++ b/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/uev-v1/high-level-architecture-for-ue-v-10.md b/mdop/uev-v1/high-level-architecture-for-ue-v-10.md
index de0ffab797..df5036bb3c 100644
--- a/mdop/uev-v1/high-level-architecture-for-ue-v-10.md
+++ b/mdop/uev-v1/high-level-architecture-for-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/index.md b/mdop/uev-v1/index.md
index 49e6e8a74c..3fe3f036fa 100644
--- a/mdop/uev-v1/index.md
+++ b/mdop/uev-v1/index.md
@@ -1,12 +1,12 @@
---
title: Microsoft User Experience Virtualization (UE-V) 1.0
description: Microsoft User Experience Virtualization (UE-V) 1.0
-author: jamiejdt
+author: dansimp
ms.assetid: 7c2b59f6-bbe9-4373-8b08-c1738665a37b
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 04/19/2017
---
diff --git a/mdop/uev-v1/installing-the-ue-v-generator.md b/mdop/uev-v1/installing-the-ue-v-generator.md
index 2729e3b8a1..821aca1fc3 100644
--- a/mdop/uev-v1/installing-the-ue-v-generator.md
+++ b/mdop/uev-v1/installing-the-ue-v-generator.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md b/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
index 114fd6f250..cbdc80df01 100644
--- a/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
+++ b/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 07/12/2017
---
diff --git a/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md b/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md
index efb3fdfb94..394c3b4ec6 100644
--- a/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md
+++ b/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md b/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md
index 9bacdae69b..337ac0882d 100644
--- a/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md
+++ b/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md b/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md
index de4bba54f9..5d165bb12f 100644
--- a/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md
+++ b/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-sp1-release-notes.md b/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-sp1-release-notes.md
index c41b75222e..f7a444bf69 100644
--- a/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-sp1-release-notes.md
+++ b/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-sp1-release-notes.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/uev-v1/migrating-ue-v-settings-packages.md b/mdop/uev-v1/migrating-ue-v-settings-packages.md
index 0584788218..a1b84ee0b2 100644
--- a/mdop/uev-v1/migrating-ue-v-settings-packages.md
+++ b/mdop/uev-v1/migrating-ue-v-settings-packages.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/operations-for-ue-v-10.md b/mdop/uev-v1/operations-for-ue-v-10.md
index 1ca7174231..e2b682e720 100644
--- a/mdop/uev-v1/operations-for-ue-v-10.md
+++ b/mdop/uev-v1/operations-for-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md b/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md
index 41e30f2c3a..358b709352 100644
--- a/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md
+++ b/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/planning-for-ue-v-10.md b/mdop/uev-v1/planning-for-ue-v-10.md
index a1b74638d4..5e8d26f148 100644
--- a/mdop/uev-v1/planning-for-ue-v-10.md
+++ b/mdop/uev-v1/planning-for-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/planning-for-ue-v-configuration-methods.md b/mdop/uev-v1/planning-for-ue-v-configuration-methods.md
index 8e5be9114d..7df8ae7d06 100644
--- a/mdop/uev-v1/planning-for-ue-v-configuration-methods.md
+++ b/mdop/uev-v1/planning-for-ue-v-configuration-methods.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/planning-for-ue-v-configuration.md b/mdop/uev-v1/planning-for-ue-v-configuration.md
index f703d2f78a..107ce3f225 100644
--- a/mdop/uev-v1/planning-for-ue-v-configuration.md
+++ b/mdop/uev-v1/planning-for-ue-v-configuration.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md b/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md
index 79eebd7152..86c03473c2 100644
--- a/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md
+++ b/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/preparing-your-environment-for-ue-v.md b/mdop/uev-v1/preparing-your-environment-for-ue-v.md
index c361404d69..17d0fcb2c2 100644
--- a/mdop/uev-v1/preparing-your-environment-for-ue-v.md
+++ b/mdop/uev-v1/preparing-your-environment-for-ue-v.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/restoring-application-and-windows-settings-synchronized-with-ue-v-10.md b/mdop/uev-v1/restoring-application-and-windows-settings-synchronized-with-ue-v-10.md
index eeafde3a12..0e614c1ba2 100644
--- a/mdop/uev-v1/restoring-application-and-windows-settings-synchronized-with-ue-v-10.md
+++ b/mdop/uev-v1/restoring-application-and-windows-settings-synchronized-with-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/security-and-privacy-for-ue-v-10.md b/mdop/uev-v1/security-and-privacy-for-ue-v-10.md
index dd0f34f96c..8c096e4a6a 100644
--- a/mdop/uev-v1/security-and-privacy-for-ue-v-10.md
+++ b/mdop/uev-v1/security-and-privacy-for-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md b/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md
index 48f0163995..df91e27c64 100644
--- a/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md
+++ b/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
@@ -17,7 +17,7 @@ ms.date: 08/30/2016
# Sharing Settings Location Templates with the UE-V Template Gallery
-## Share location templates with the template gallery
+## Share location templates with the template gallery
The Microsoft User Experience Virtualization (UE-V) template gallery allows administrators to share their UE-V settings location templates. In the gallery, you can upload your settings location templates for other people to use, and you can download templates that other people have created. The UE-V template gallery is located on Microsoft TechNet here: .
diff --git a/mdop/uev-v1/supported-configurations-for-ue-v-10.md b/mdop/uev-v1/supported-configurations-for-ue-v-10.md
index 2fca53cc15..38776f7cf8 100644
--- a/mdop/uev-v1/supported-configurations-for-ue-v-10.md
+++ b/mdop/uev-v1/supported-configurations-for-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/uev-v1/troubleshooting-ue-v-10.md b/mdop/uev-v1/troubleshooting-ue-v-10.md
index 81aa6256a0..74d1546a02 100644
--- a/mdop/uev-v1/troubleshooting-ue-v-10.md
+++ b/mdop/uev-v1/troubleshooting-ue-v-10.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
@@ -19,7 +19,7 @@ ms.date: 08/30/2016
Troubleshooting content is not included in the Administrator's Guide for this product. Instead, you can find troubleshooting information for this product on the [TechNet Wiki](https://go.microsoft.com/fwlink/p/?LinkId=224905).
-## Find troubleshooting information
+## Find troubleshooting information
You can use the following information to find troubleshooting content or additional technical content for this product.
@@ -44,7 +44,7 @@ The first step to find help content in the Administrator’s Guide is to search
3. Review the search results for assistance.
-## Create a troubleshooting article
+## Create a troubleshooting article
If you have a troubleshooting tip or a best practice to share that is not already included in the MDOP Online Help or TechNet Wiki, you can create your own TechNet Wiki article.
diff --git a/mdop/uev-v1/ue-v-10-security-considerations.md b/mdop/uev-v1/ue-v-10-security-considerations.md
index ddbecb7393..0fec0a0670 100644
--- a/mdop/uev-v1/ue-v-10-security-considerations.md
+++ b/mdop/uev-v1/ue-v-10-security-considerations.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/ue-v-checklist.md b/mdop/uev-v1/ue-v-checklist.md
index 03c5bb4c70..50eda2adfd 100644
--- a/mdop/uev-v1/ue-v-checklist.md
+++ b/mdop/uev-v1/ue-v-checklist.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/user-experience-virtualization-privacy-statement.md b/mdop/uev-v1/user-experience-virtualization-privacy-statement.md
index ecbbabaa59..2be967fb55 100644
--- a/mdop/uev-v1/user-experience-virtualization-privacy-statement.md
+++ b/mdop/uev-v1/user-experience-virtualization-privacy-statement.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/uev-v1/validate-ue-v-settings-location-templates-with-ue-v-generator.md b/mdop/uev-v1/validate-ue-v-settings-location-templates-with-ue-v-generator.md
index 7b2ac97915..0f1b3de72d 100644
--- a/mdop/uev-v1/validate-ue-v-settings-location-templates-with-ue-v-generator.md
+++ b/mdop/uev-v1/validate-ue-v-settings-location-templates-with-ue-v-generator.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v1/working-with-custom-ue-v-templates-and-the-ue-v-generator.md b/mdop/uev-v1/working-with-custom-ue-v-templates-and-the-ue-v-generator.md
index 14ed81bb52..dd61401c21 100644
--- a/mdop/uev-v1/working-with-custom-ue-v-templates-and-the-ue-v-generator.md
+++ b/mdop/uev-v1/working-with-custom-ue-v-templates-and-the-ue-v-generator.md
@@ -9,7 +9,7 @@ ms.author: ellevin
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
index a18ae22ef9..d918fb1b54 100644
--- a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
+++ b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
@@ -193,7 +193,7 @@ You’ll need to deploy a settings storage location, a standard network share wh
-**Security Note: **
+**Security Note:**
If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor:
diff --git a/mdop/uev-v2/index.md b/mdop/uev-v2/index.md
index 5e5f69c25f..b0a92410ba 100644
--- a/mdop/uev-v2/index.md
+++ b/mdop/uev-v2/index.md
@@ -1,7 +1,7 @@
---
title: Microsoft User Experience Virtualization (UE-V) 2.x
description: Microsoft User Experience Virtualization (UE-V) 2.x
-author: jamiejdt
+author: dansimp
ms.assetid: b860fed0-b846-415d-bdd6-ba60231a64be
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md b/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md
index 733876d705..161015c807 100644
--- a/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md
+++ b/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md
@@ -19,7 +19,7 @@ ms.date: 08/30/2016
Troubleshooting content is not included in the Administrator's Guide for this product. Instead, you can find troubleshooting information for this product on the [TechNet Wiki](https://go.microsoft.com/fwlink/p/?LinkId=224905).
-## Find troubleshooting information
+## Find troubleshooting information
You can use the following information to find troubleshooting content or additional technical content for this product.
@@ -44,7 +44,7 @@ The first step to find help content in the Administrator’s Guide is to search
3. Review the search results for assistance.
-## Create a troubleshooting article
+## Create a troubleshooting article
If you have a troubleshooting tip or a best practice to share that is not already included in the MDOP Online Help or TechNet Wiki, you can create your own TechNet Wiki article.
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index c4fdb65355..fe8f3b7411 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -1,7 +1,7 @@
# [Microsoft Store for Business](index.md)
## [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
## [Sign up and get started](sign-up-microsoft-store-for-business-overview.md)
-###[Microsoft Store for Business and Microsoft Store for Education overview](microsoft-store-for-business-overview.md)
+### [Microsoft Store for Business and Microsoft Store for Education overview](microsoft-store-for-business-overview.md)
### [Prerequisites for Microsoft Store for Business and Education](prerequisites-microsoft-store-for-business.md)
### [Sign up for Microsoft Store for Business or Microsoft Store for Education](sign-up-microsoft-store-for-business.md)
### [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md)
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index 2c0e080ed7..6a2720e035 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -51,7 +51,7 @@ Catalog and policy files have required files types.
| catalog files | .cat |
| policy files | .bin |
- ## Store for Business roles and permissions
+ ## Store for Business roles and permissions
Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role.
## Device Guard signing certificates
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
index 10be832452..2825ff309d 100644
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@@ -33,6 +33,7 @@
"globalMetadata": {
"breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
"ms.author": "trudyha",
+ "audience": "ITPro",
"ms.technology": "windows",
"ms.topic": "article",
"ms.date": "05/09/2017",
diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md
index bf36f37baf..515b03dd25 100644
--- a/store-for-business/education/TOC.md
+++ b/store-for-business/education/TOC.md
@@ -1,7 +1,7 @@
# [Microsoft Store for Education](/microsoft-store/index?toc=/microsoft-store/education/toc.json)
## [What's new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education?toc=/microsoft-store/education/toc.json)
## [Sign up and get started](/microsoft-store/sign-up-microsoft-store-for-business-overview?toc=/microsoft-store/education/toc.json)
-###[Microsoft Store for Business and Education overview](/microsoft-store/windows-store-for-business-overview?toc=/microsoft-store/education/toc.json)
+### [Microsoft Store for Business and Education overview](/microsoft-store/windows-store-for-business-overview?toc=/microsoft-store/education/toc.json)
### [Prerequisites for Microsoft Store for Business and Education](/microsoft-store/prerequisites-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
### [Sign up for Microsoft Store for Business or Microsoft Store for Education](/microsoft-store/sign-up-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
### [Roles and permissions in the Microsoft Store for Business and Education](/microsoft-store/roles-and-permissions-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md
index 115dd3fa5b..91a18494e2 100644
--- a/store-for-business/manage-orders-microsoft-store-for-business.md
+++ b/store-for-business/manage-orders-microsoft-store-for-business.md
@@ -42,14 +42,14 @@ Refunds work a little differently for free apps, and apps that have a price. In
**Refunds for free apps**
- For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses, and then you can remove the app from your organization's inventory.
+For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses, and then you can remove the app from your organization's inventory.
- **Refunds for apps that have a price**
+**Refunds for apps that have a price**
- There are a few requirements for apps that have a price:
- - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30.
- - **Available licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization.
- - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory.
+There are a few requirements for apps that have a price:
+- **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30.
+- **Available licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization.
+- **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory.
**To refund an order**
diff --git a/store-for-business/work-with-partner-microsoft-store-business.md b/store-for-business/work-with-partner-microsoft-store-business.md
index 9ca69eef76..e2829a08cb 100644
--- a/store-for-business/work-with-partner-microsoft-store-business.md
+++ b/store-for-business/work-with-partner-microsoft-store-business.md
@@ -38,7 +38,7 @@ There are several ways that a solution provider can work with you. Solution prov
| OEM PC partner | Solution providers can upload device IDs for PCs that you're [managing with Autopilot](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). |
| Line-of-business (LOB) partner | Solution providers can develop, submit, and manage LOB apps specific for your organization or school. |
-## Find a solution provider
+## Find a solution provider
You can find partner in Microsoft Store for Business and Education.
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
index 57281ea6e2..9df4554e37 100644
--- a/windows/access-protection/docfx.json
+++ b/windows/access-protection/docfx.json
@@ -33,6 +33,7 @@
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
+ "audience": "ITPro",
"ms.topic": "article",
"_op_documentIdPathDepotMapping": {
"./": {
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 3d117f1d01..099bcdf1c4 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -128,9 +128,9 @@ Computers running the App-V client connect to the App-V publishing server to sen
> [!IMPORTANT]
> The following list displays the main factors to consider when setting up the App-V publishing server:
-> * The number of clients connecting simultaneously to a single publishing server.
-> * The number of packages in each refresh.
-> * The available network bandwidth in your environment between the client and the App-V publishing server.
+> * The number of clients connecting simultaneously to a single publishing server.
+> * The number of packages in each refresh.
+> * The available network bandwidth in your environment between the client and the App-V publishing server.
|Scenario|Summary|
|---|---|
@@ -153,9 +153,9 @@ Computers running the App-V client stream the virtual application package from t
> [!IMPORTANT]
> The following list identifies the main factors to consider when setting up the App-V streaming server:
-> * The number of clients streaming application packages simultaneously from a single streaming server.
-> * The size of the package being streamed.
-> * The available network bandwidth in your environment between the client and the streaming server.
+> * The number of clients streaming application packages simultaneously from a single streaming server.
+> * The size of the package being streamed.
+> * The available network bandwidth in your environment between the client and the streaming server.
|Scenario|Summary|
|---|---|
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index f7c9b35003..ee08c91bcf 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -33,6 +33,7 @@
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
+ "audience": "ITPro",
"ms.topic": "article",
"ms.author": "elizapo",
"feedback_system": "GitHub",
diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md
index 371e401c1a..a828991d9d 100644
--- a/windows/application-management/remove-provisioned-apps-during-update.md
+++ b/windows/application-management/remove-provisioned-apps-during-update.md
@@ -162,9 +162,13 @@ Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneMusic_8wekyb3d8bbwe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneVideo_8wekyb3d8bbwe]
-```
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.3DBuilder_8wekyb3d8bbwe]
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.HEVCVideoExtension_8wekyb3d8bbwe]
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Messaging_8wekyb3d8bbwe]
+```
[Get-AppxPackage](https://docs.microsoft.com/powershell/module/appx/get-appxpackage)
[Get-AppxPackage -allusers](https://docs.microsoft.com/powershell/module/appx/get-appxpackage)
diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
index 8052f02284..3928061aa3 100644
--- a/windows/application-management/sideload-apps-in-windows-10.md
+++ b/windows/application-management/sideload-apps-in-windows-10.md
@@ -19,6 +19,9 @@ ms.date: 05/20/2019
- Windows 10
- Windows 10 Mobile
+> [!NOTE]
+> As of Windows Insider Build 18956, sideloading is enabled by default. Now, you can deploy a signed package onto a device without a special configuration.
+
"Line-of-Business" (LOB) apps are present in a wide range of businesses and organizations. Organizations value these apps because they solve problems unique to each business.
When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps. Sideloading was also available with Windows 8 and Windows 8.1
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index 7edad5cf25..878b065aa7 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -17,7 +17,7 @@ ms.topic: troubleshooting
## Overview
-This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or wwitches, it won't be an end-to-end Microsoft solution.
+This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or switches, it won't be an end-to-end Microsoft solution.
## Scenarios
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index c5967a88c3..d687294412 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -33,7 +33,9 @@
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
+ "audience": "ITPro",
"ms.topic": "article",
+ "manager": "dansimp",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
index fa0bee9334..0cd8b04e7c 100644
--- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md
+++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
@@ -1,7 +1,7 @@
---
title: ApplicationControl CSP
description: ApplicationControl CSP
-ms.author: dansimp@microsoft.com
+ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index 4f5c622cc0..7dc2e66ea2 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -1,7 +1,7 @@
---
title: ApplicationControl CSP
description: ApplicationControl CSP
-ms.author: dansimp@microsoft.com
+ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 22a816cc20..356fa67a5f 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -156,22 +156,8 @@ Each of the previous nodes contains one or more of the following leaf nodes:
Policy
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
-
Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.
-
For CodeIntegrity/Policy, you can use the certutil -encode command line tool to encode the data to base-64.
If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.
-
Data type is string. Supported operations are Get, Add, Delete, and Replace.
+
For nodes, other than CodeIntegrity, policy leaf data type is string. Supported operations are Get, Add, Delete, and Replace.
+
For CodeIntegrity/Policy, data type is Base64. Supported operations are Get, Add, Delete, and Replace.
EnforcementMode
@@ -186,6 +172,8 @@ certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
+> [!NOTE]
+> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP.
## Find publisher and product name of apps
@@ -842,7 +830,7 @@ The following list shows the apps that may be included in the inbox.
The following example disables the calendar application.
-``` syntax
+```xml
@@ -866,7 +854,7 @@ The following example disables the calendar application.
The following example blocks the usage of the map application.
-``` syntax
+```xml
@@ -1406,7 +1394,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
## Example for Windows 10 Holographic for Business
The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable to enable a working device, as well as Settings.
-``` syntax
+```xml
1
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 5664409319..41612181c5 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -372,7 +372,7 @@ Data type is string.
Enroll a client certificate through SCEP.
-``` syntax
+```xml
@@ -571,7 +571,7 @@ Enroll a client certificate through SCEP.
Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store.
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md
index 432b10a418..301c28ea8e 100644
--- a/windows/client-management/mdm/cm-proxyentries-csp.md
+++ b/windows/client-management/mdm/cm-proxyentries-csp.md
@@ -90,7 +90,7 @@ Specifies the username used to connect to the proxy.
To delete both a proxy and its associated connection, you must delete the proxy first, and then delete the connection. The following example shows how to delete the proxy and then the connection.
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 2579fa4d39..744a4be799 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -215,7 +215,7 @@ Supported product status values:
Example:
-``` syntax
+```xml
@@ -224,7 +224,7 @@ Example:
./Vendor/MSFT/Defender/Health/ProductStatus
-
+
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 8d704d0165..2191e66e9c 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -277,23 +277,23 @@ Supported operation is Get.
**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
-- 0x0: System meets hardware configuration requirements
-- 0x1: SecureBoot required
-- 0x2: DMA Protection required
-- 0x4: HyperV not supported for Guest VM
-- 0x8: HyperV feature is not available
+- 0x0: System meets hardware configuration requirements
+- 0x1: SecureBoot required
+- 0x2: DMA Protection required
+- 0x4: HyperV not supported for Guest VM
+- 0x8: HyperV feature is not available
Supported operation is Get.
**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
-- 0 - Running
-- 1 - Reboot required
-- 2 - 64 bit architecture required
-- 3 - not licensed
-- 4 - not configured
-- 5 - System doesn't meet hardware requirements
-- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
+- 0 - Running
+- 1 - Reboot required
+- 2 - 64 bit architecture required
+- 3 - not licensed
+- 4 - not configured
+- 5 - System doesn't meet hardware requirements
+- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
Supported operation is Get.
@@ -301,11 +301,11 @@ Supported operation is Get.
**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**
Added in Windows, version 1709. Local System Authority (LSA) credential guard status.
-- 0 - Running
-- 1 - Reboot required
-- 2 - Not licensed for Credential Guard
-- 3 - Not configured
-- 4 - VBS not running
+- 0 - Running
+- 1 - Reboot required
+- 2 - Not licensed for Credential Guard
+- 3 - Not configured
+- 4 - VBS not running
Supported operation is Get.
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 31cb8df991..85de08a137 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -73,7 +73,7 @@ When the PC is already enrolled in MDM, you can remotely collect logs from the P
Example: Enable the Debug channel logging
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index 09b61984c1..aa61f9d50b 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -262,7 +262,7 @@ Stores specifies which certificate stores the DM client will search to find the
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following:
-``` syntax
+```xml
```
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 49635be46f..03e82dc9e8 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -56,7 +56,7 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
9. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
- ``` syntax
+ ```powershell
Get-VpnConnection -Name Test
```
@@ -80,17 +80,17 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
IdleDisconnectSeconds : 0
```
- ``` syntax
+ ```powershell
$a = Get-VpnConnection -Name Test
```
- ``` syntax
+ ```powershell
$a.EapConfigXmlStream.InnerXml
```
Here is an example output
- ``` syntax
+ ```xml
130013
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index f97a70c2f7..548a34e79e 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -19,20 +19,23 @@ This is a step-by-step guide to configuring ADMX-backed policies in MDM.
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Summary of steps to enable a policy:
-- Find the policy from the list ADMX-backed policies.
-- Find the Group Policy related information from the MDM policy description.
-- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
-- Create the data payload for the SyncML.
+- Find the policy from the list ADMX-backed policies.
+- Find the Group Policy related information from the MDM policy description.
+- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
+- Create the data payload for the SyncML.
-See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) for a walk-through using Intune.
+See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX-Backed policies using Microsoft Intune](https://blogs.technet.microsoft.com/senthilkumar/2018/05/21/intune-deploying-admx-backed-policies-using-microsoft-intune/) for a walk-through using Intune.
>[!TIP]
>Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](https://docs.microsoft.com/intune/administrative-templates-windows)
## Enable a policy
+> [!NOTE]
+> See [Understanding ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies).
+
1. Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description.
- - GP English name
+ - GP English name
- GP name
- GP ADMX file name
- GP path
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
index 85e0516dfd..429bf2fe21 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
@@ -1,7 +1,7 @@
---
title: EnrollmentStatusTracking CSP
description: EnrollmentStatusTracking CSP
-ms.author: dansimp@microsoft.com
+ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md
index 40733a7170..080db28b5c 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md
@@ -1,7 +1,7 @@
---
title: EnrollmentStatusTracking CSP
description: EnrollmentStatusTracking CSP
-ms.author: dansimp@microsoft.com
+ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md
index 1fad0a54a6..386f5a8c48 100644
--- a/windows/client-management/mdm/esim-enterprise-management.md
+++ b/windows/client-management/mdm/esim-enterprise-management.md
@@ -14,13 +14,13 @@ ms.topic:
# How Mobile Device Management Providers support eSIM Management on Windows
The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to leverage an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will leverage the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and installation happens on the background and not impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
If you are a Mobile Device Management (MDM) Provider and would like to support eSIM Management on Windows, you should do the following:
-- Onboard to Azure Active Directory
-- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties.
-- Assess solution type that you would like to provide your customers
-- Batch/offline solution
-- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices.
-- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to
-- Real-time solution
-- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time.
-- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used
+- Onboard to Azure Active Directory
+- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties.
+- Assess solution type that you would like to provide your customers
+- Batch/offline solution
+- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices.
+- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to
+- Real-time solution
+- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time.
+- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used
**Note:** The solution type is not noticeable to the end-user. The choice between the two is made between the MDM and the Mobile Operator.
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index a14f71ce2d..3870f7d385 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -314,16 +314,16 @@ For DHA-OnPrem & DHA-EMC scenarios, send a SyncML command to the HASEndpoint nod
The following example shows a sample call that instructs a managed device to communicate with an enterprise managed DHA-Service.
-``` syntax
-
- 1
-
-
- ./Vendor/MSFT/HealthAttestation/HASEndpoint
-
- www.ContosoDHA-Service
-
-
+```xml
+
+ 1
+
+
+ ./Vendor/MSFT/HealthAttestation/HASEndpoint
+
+ www.ContosoDHA-Service
+
+
```
@@ -334,24 +334,24 @@ Send a SyncML call to start collection of the DHA-Data.
The following example shows a sample call that triggers collection and verification of health attestation data from a managed device.
-``` syntax
-
- 1
-
-
- ./Vendor/MSFT/HealthAttestation/VerifyHealth
-
-
-
+```xml
+
+ 1
+
+
+ ./Vendor/MSFT/HealthAttestation/VerifyHealth
+
+
+
-
- 2
-
-
- ./Vendor/MSFT/HealthAttestation/Status
-
-
-
+
+ 2
+
+
+ ./Vendor/MSFT/HealthAttestation/Status
+
+
+
```
## **Step 4: Take action based on the clients response**
@@ -364,21 +364,21 @@ After the client receives the health attestation request, it sends a response. T
Here is a sample alert that is issued by DHA_CSP:
-``` syntax
-
- 1
- 1226
-
-
- ./Vendor/MSFT/HealthAttestation/VerifyHealth
-
-
- com.microsoft.mdm:HealthAttestation.Result
- int
-
- 3
-
-
+```xml
+
+ 1
+ 1226
+
+
+ ./Vendor/MSFT/HealthAttestation/VerifyHealth
+
+
+ com.microsoft.mdm:HealthAttestation.Result
+ int
+
+ 3
+
+
```
- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
@@ -389,35 +389,34 @@ Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and
Here is an example:
-``` syntax
+```xml
- 1
-
-
- ./Vendor/MSFT/HealthAttestation/Nonce
-
- AAAAAAAAAFFFFFFF
-
+ 1
+
+
+ ./Vendor/MSFT/HealthAttestation/Nonce
+
+ AAAAAAAAAFFFFFFF
+
-
- 2
-
-
- ./Vendor/MSFT/HealthAttestation/Certificate
-
-
-
-
-
- 3
-
-
- ./Vendor/MSFT/HealthAttestation/CorrelationId
-
-
-
+
+ 2
+
+
+ ./Vendor/MSFT/HealthAttestation/Certificate
+
+
+
+
+ 3
+
+
+ ./Vendor/MSFT/HealthAttestation/CorrelationId
+
+
+
```
## **Step 6: Forward device health attestation data to DHA-service**
@@ -1019,8 +1018,8 @@ Each of these are described in further detail in the following sections, along w
## DHA-Report V3 schema
-``` syntax
-
+```xml
+
[!NOTE]
> The NetworkQoSPolicy configuration service provider is supported only in Microsoft Surface Hub.
@@ -49,9 +49,9 @@ The following diagram shows the NetworkQoSPolicy configuration service provider
Valid values are:
- - 0 (default) - Both TCP and UDP
- - 1 - TCP
- - 2 - UDP
+- 0 (default) - Both TCP and UDP
+- 1 - TCP
+- 2 - UDP
The data type is int.
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index bb80f306e7..9feb66be2d 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -478,11 +478,11 @@ An XML blob that specifies the application restrictions company want to put to t
>
> Here's additional guidance for the upgrade process:
>
-> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
-> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
-> - In the SyncML, you must use lowercase product ID.
-> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
-> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
+> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
+> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
+> - In the SyncML, you must use lowercase product ID.
+> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
+> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
An application that is running may not be immediately terminated.
@@ -537,7 +537,7 @@ Added in Windows 10, version 1607. Boolean value that disables the launch of al
ADMX Info:
-- GP English name: *Disable all apps from Microsoft Store *
+- GP English name: *Disable all apps from Microsoft Store*
- GP name: *DisableStoreApps*
- GP path: *Windows Components/Store*
- GP ADMX file name: *WindowsStore.admx*
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index a397e2cdfa..6553368bef 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -629,9 +629,9 @@ ADMX Info:
Supported values:
-- Blank (default) - Do not send tracking information but let users choose to send tracking information to sites they visit.
-- 0 - Never send tracking information.
-- 1 - Send tracking information.
+- Blank (default) - Do not send tracking information but let users choose to send tracking information to sites they visit.
+- 0 - Never send tracking information.
+- 1 - Send tracking information.
Most restricted value: 1
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 1ff5f4fa3a..e137a5dc9f 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -12,7 +12,6 @@ author: manikadhiman
# Policy CSP - DeviceInstallation
-
@@ -111,13 +110,6 @@ ADMX Info:
-
-
-
-
-
-
-
To enable this policy, use the following SyncML. This example allows Windows to install compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter.
@@ -148,6 +140,11 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
+
+
+
+
+
@@ -222,13 +219,6 @@ ADMX Info:
-
-
-
-
-
-
-
To enable this policy, use the following SyncML. This example allows Windows to install:
- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318}
@@ -266,6 +256,11 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
+
+
+
+
+
@@ -311,8 +306,6 @@ If you enable this policy setting, Windows does not retrieve device metadata for
If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
-
-
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -340,8 +333,6 @@ ADMX Info:
-
-
@@ -386,7 +377,6 @@ If you enable this policy setting, Windows is prevented from installing or updat
If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting.
-
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -407,13 +397,6 @@ ADMX Info:
-
-
-
-
-
-
-
To enable this policy, use the following SyncML. This example prevents Windows from installing devices that are not specifically described by any other policy setting.
@@ -448,7 +431,11 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
You can also block installation by using a custom profile in Intune.
+
+
+
+
@@ -512,9 +499,10 @@ ADMX Info:
- GP ADMX file name: *deviceinstallation.admx*
-
-
+
+
+
To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use  as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true.
@@ -552,6 +540,11 @@ You can also block installation and usage of prohibited peripherals by using a c
For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed.
+
+
+
+
+
@@ -614,9 +607,10 @@ ADMX Info:
- GP ADMX file name: *deviceinstallation.admx*
-
-
+
+
+
To enable this policy, use the following SyncML. This example prevents Windows from installing:
- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318}
@@ -653,6 +647,12 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
+
+
+
+
+
+
Footnote:
@@ -663,5 +663,4 @@ Footnote:
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 524745b05b..1682e10bd8 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -387,12 +387,12 @@ Specifies whether device lock is enabled.
> [!Important]
> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
> - **DevicePasswordEnabled** is the parent policy of the following:
-> - AllowSimpleDevicePassword
-> - MinDevicePasswordLength
-> - AlphanumericDevicePasswordRequired
-> - MinDevicePasswordComplexCharacters
-> - DevicePasswordExpiration
-> - DevicePasswordHistory
+> - AllowSimpleDevicePassword
+> - MinDevicePasswordLength
+> - AlphanumericDevicePasswordRequired
+> - MinDevicePasswordComplexCharacters
+> - DevicePasswordExpiration
+> - DevicePasswordHistory
> - MaxDevicePasswordFailedAttempts
> - MaxInactivityTimeDeviceLock
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index d13267b269..c39e01b943 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -13428,7 +13428,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
ADMX Info:
-- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
+- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer*
- GP name: *VerMgmtDisableRunThisTime*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
@@ -16504,7 +16504,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy.
ADMX Info:
-- GP English name: *Security Zones: Use only machine settings *
+- GP English name: *Security Zones: Use only machine settings*
- GP name: *Security_HKLM_only*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index ba8a7d6310..f176045650 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -365,7 +365,7 @@ If you disable or do not configure this policy setting, the WinRM service will n
The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.
-You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
+You should use an asterisk (\*) to indicate that the service listens on all available IP addresses on the computer. When \* is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty.
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 81727ffef1..e2a1e35daf 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -806,11 +806,11 @@ If the policy is not specified, the behavior will be that no pages are affected.
The format of the PageVisibilityList value is as follows:
-- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
-- There are two variants: one that shows only the given pages and one which hides the given pages.
-- The first variant starts with the string "showonly:" and the second with the string "hide:".
-- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
-- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi".
+- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
+- There are two variants: one that shows only the given pages and one which hides the given pages.
+- The first variant starts with the string "showonly:" and the second with the string "hide:".
+- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
+- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi".
The default value for this setting is an empty string, which is interpreted as show everything.
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index af2069854f..65f8aca2b1 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -1068,7 +1068,7 @@ If you disable or don't configure this policy setting, the Delete diagnostic dat
ADMX Info:
-- GP English name: *Disable deleting diagnostic data *
+- GP English name: *Disable deleting diagnostic data*
- GP name: *DisableDeviceDelete*
- GP element: *DisableDeviceDelete*
- GP path: *Data Collection and Preview Builds*
@@ -1131,7 +1131,7 @@ If you disable or don't configure this policy setting, the Diagnostic Data Viewe
ADMX Info:
-- GP English name: *Disable diagnostic data viewer. *
+- GP English name: *Disable diagnostic data viewer.*
- GP name: *DisableDiagnosticDataViewer*
- GP element: *DisableDiagnosticDataViewer*
- GP path: *Data Collection and Preview Builds*
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 5e4b03fa34..1553b89d93 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -70,8 +70,8 @@ manager: dansimp
This setting determines whether non-administrators can use Task Manager to end tasks.
Value type is integer. Supported values:
- - 0 - Disabled. EndTask functionality is blocked in TaskManager.
- - 1 - Enabled (default). Users can perform EndTask in TaskManager.
+- 0 - Disabled. EndTask functionality is blocked in TaskManager.
+- 1 - Enabled (default). Users can perform EndTask in TaskManager.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 92367a4c2e..b0de2a2be1 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1053,7 +1053,7 @@ Supported values:
-Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value.
@@ -1071,8 +1071,8 @@ The following list shows the supported values:
- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709)
- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709)
- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709)
-- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted).
-- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel.
+- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted).
+- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903)
@@ -3874,20 +3874,20 @@ The following list shows the supported values:
Example
-``` syntax
-
- $CmdID$
-
-
- chr
- text/plain
-
-
- ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
-
- http://abcd-srv:8530
-
-
+```xml
+
+ $CmdID$
+
+
+ chr
+ text/plain
+
+
+ ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
+
+ http://abcd-srv:8530
+
+
```
diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md
index ea985de378..3ea4ca8ee0 100644
--- a/windows/client-management/mdm/remotelock-csp.md
+++ b/windows/client-management/mdm/remotelock-csp.md
@@ -117,7 +117,7 @@ A Get operation on this node must follow an Exec operation on the /RemoteLock/Lo
Initiate a remote lock of the device.
-``` syntax
+```xml
1
@@ -130,7 +130,7 @@ Initiate a remote lock of the device.
Initiate a remote lock and PIN reset of the device. To successfully retrieve the new device-generated PIN, the commands must be executed together and in the proper sequence as shown below.
-``` syntax
+```xml
1
diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md
index 21149dd08e..726df442f0 100644
--- a/windows/client-management/mdm/remotering-csp.md
+++ b/windows/client-management/mdm/remotering-csp.md
@@ -31,14 +31,14 @@ The supported operation is Exec.
The following sample shows how to initiate a remote ring on the device.
-``` syntax
+```xml
- 5
-
-
- ./Vendor/MSFT/RemoteRing/Ring
-
-
+ 5
+
+
+ ./Vendor/MSFT/RemoteRing/Ring
+
+
```
diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md
index 44828e2d90..1f1391ff33 100644
--- a/windows/client-management/mdm/reporting-csp.md
+++ b/windows/client-management/mdm/reporting-csp.md
@@ -81,7 +81,7 @@ Supported operations are Get and Replace.
Retrieve all available Windows Information Protection (formerly known as Enterprise Data Protection) logs starting from the specified StartTime.
-``` syntax
+```xml
@@ -104,7 +104,7 @@ Retrieve all available Windows Information Protection (formerly known as Enterpr
Retrieve a specified number of security auditing logs starting from the specified StartTime.
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 91478addbe..9b8b3ce65d 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -199,7 +199,7 @@ The following security roles are supported.
Setting a security policy:
-``` syntax
+```xml
@@ -209,7 +209,7 @@ Setting a security policy:
Querying a security policy:
-``` syntax
+```xml
@@ -222,7 +222,7 @@ Querying a security policy:
Setting a security policy:
-``` syntax
+```xml
…
@@ -245,7 +245,7 @@ Setting a security policy:
Querying a security policy:
-``` syntax
+```xml
…
diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
index 7791fe19fd..0e0293bca8 100644
--- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
+++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
@@ -53,7 +53,7 @@ The following table shows the OMA DM versions that are supported.
The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain additional XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](https://go.microsoft.com/fwlink/p/?LinkId=526902) specification.
-``` syntax
+```xml
1.2
@@ -107,7 +107,7 @@ The following example shows the header component of a DM message. In this case,
-``` syntax
+```xml
1.2DM/1.2
@@ -130,7 +130,7 @@ SyncBody contains one or more DM commands. The SyncBody can contain multiple DM
The following example shows the body component of a DM message. In this example, SyncBody contains only one command, Get. This is indicated by the <Final /> tag that occurs immediately after the terminating tag for the Get command.
-``` syntax
+```xml
@@ -157,7 +157,7 @@ The Replace command is used to update a device setting.
The following example illustrates how to use the Replace command to update a device setting.
-``` syntax
+```xml
1.2DM/1.2
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index ded1d293de..09ea7f32d0 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -481,7 +481,7 @@ Adding a SUPL and a V2 UPL account to the same device. Values in italic must be
Adding a SUPL account to a device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 50b1862e82..fcb23c170c 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -39,52 +39,52 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
To use a device account from Active Directory
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index e546efa7f6..36f46f9df1 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -37,20 +37,20 @@ The following diagram shows the TPMPolicy configuration service provider in tree
Here is an example:
-``` syntax
-
- 101
-
-
-
- ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust
-
-
-
- bool
- text/plain
-
- true
-
-
+```xml
+
+ 101
+
+
+
+ ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust
+
+
+
+ bool
+ text/plain
+
+ true
+
+
```
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index 233e581a91..33001ff094 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -23,8 +23,8 @@ In addition to standard policies, the Policy CSP can now also handle ADMX-backed
ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC.
Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor:
-- OS settings: Computer Configuration/Administrative Templates
-- Application settings: User Configuration/Administrative Templates
+- OS settings: Computer Configuration/Administrative Templates
+- Application settings: User Configuration/Administrative Templates
In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are leveraged to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), is not required.
@@ -42,17 +42,17 @@ To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrat
The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the “Publishing Server 2 Settings” is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category.
Group Policy option button setting:
-- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur:
- - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data.
- - The MDM client stack receives this data, which causes the Policy CSP to update the device’s registry per the ADMX-backed policy definition.
+- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur:
+ - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data.
+ - The MDM client stack receives this data, which causes the Policy CSP to update the device’s registry per the ADMX-backed policy definition.
-- If **Disabled** is selected and you click **Apply**, the following events occur:
- - The MDM ISV server sets up a Replace SyncML command with a payload set to ``.
- - The MDM client stack receives this command, which causes the Policy CSP to either delete the device’s registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition.
+- If **Disabled** is selected and you click **Apply**, the following events occur:
+ - The MDM ISV server sets up a Replace SyncML command with a payload set to ``.
+ - The MDM client stack receives this command, which causes the Policy CSP to either delete the device’s registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition.
-- If **Not Configured** is selected and you click **Apply**, the following events occur:
- - MDM ISV server sets up a Delete SyncML command.
- - The MDM client stack receives this command, which causes the Policy CSP to delete the device’s registry settings per the ADMX-backed policy definition.
+- If **Not Configured** is selected and you click **Apply**, the following events occur:
+ - MDM ISV server sets up a Delete SyncML command.
+ - The MDM client stack receives this command, which causes the Policy CSP to delete the device’s registry settings per the ADMX-backed policy definition.
The following diagram shows the main display for the Group Policy Editor.
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 5fa7655902..fa5597ecf6 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -598,7 +598,7 @@ Value type is bool. Supported operations include Get, Add, Replace, and Delete.
Profile example
-``` syntax
+```xml
@@ -657,244 +657,241 @@ Profile example
AppTriggerList
-``` syntax
+```xml
-
- 10013
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/0/App/Id
-
- %PROGRAMFILES%\Internet Explorer\iexplore.exe
-
-
-
- 10014
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/1/App/Id
-
- %PROGRAMFILES% (x86)\Internet Explorer\iexplore.exe
-
-
-
-
- 10015
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/2/App/Id
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
-
+
+ 10013
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/0/App/Id
+
+ %PROGRAMFILES%\Internet Explorer\iexplore.exe
+
+
+
+ 10014
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/1/App/Id
+
+ %PROGRAMFILES% (x86)\Internet Explorer\iexplore.exe
+
+
+
+
+ 10015
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/2/App/Id
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+
```
RouteList and ExclusionRoute
-``` syntax
-
-
- 10008
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/Address
-
- 192.168.0.0
-
-
-
- 10009
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/PrefixSize
-
-
- int
-
- 24
-
-
-
- 10010
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/ExclusionRoute
-
-
- bool
-
- true
-
-
-
+```xml
+
+ 10008
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/Address
+
+ 192.168.0.0
+
+
+
+ 10009
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/PrefixSize
+
+
+ int
+
+ 24
+
+
+
+ 10010
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/ExclusionRoute
+
+
+ bool
+
+ true
+
+
```
DomainNameInformationList
-``` syntax
-
-
-
- 10013
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName
-
- .contoso.com
-
-
-
- 10014
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers
-
- 192.168.0.11,192.168.0.12
-
-
-
+```xml
+
+
+ 10013
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName
+
+ .contoso.com
+
+
+
+ 10014
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers
+
+ 192.168.0.11,192.168.0.12
+
+
+
-
- 10013
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName
-
- .contoso.com
-
-
-
-
- 10015
-
-
-./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers
-
- 192.168.0.100:8888
-
-
-
+
+ 10013
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName
+
+ .contoso.com
+
+
+
+
+ 10015
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers
+
+ 192.168.0.100:8888
+
+
+
-
-
- 10016
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName
-
- finance.contoso.com
-
-
-
- 10017
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers
-
- 192.168.0.11,192.168.0.12
-
-
-
+
+
+ 10016
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName
+
+ finance.contoso.com
+
+
+
+ 10017
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers
+
+ 192.168.0.11,192.168.0.12
+
+
+
-
-
- 10016
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName
-
- finance.contoso.com
-
-
-
- 10017
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers
-
- 192.168.0.11:8080
-
-
-
+
+
+ 10016
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName
+
+ finance.contoso.com
+
+
+
+ 10017
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers
+
+ 192.168.0.11:8080
+
+
+
-
- 10016
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DomainName
-
- .
-
-
-
- 10017
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DnsServers
-
- 192.168.0.11,192.168.0.12
-
-
-
+
+ 10016
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DomainName
+
+ .
+
+
+
+ 10017
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DnsServers
+
+ 192.168.0.11,192.168.0.12
+
+
+
-
-
- 10016
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/DomainName
-
- .
-
-
-
- 10017
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/WebProxyServers
-
- 192.168.0.11
-
-
+
+
+ 10016
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/DomainName
+
+ .
+
+
+
+ 10017
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/WebProxyServers
+
+ 192.168.0.11
+
+
```
AutoTrigger
-``` syntax
+```xml
- 10010
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/AutoTrigger
-
-
- bool
-
- true
-
-
+ 10010
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/AutoTrigger
+
+
+ bool
+
+ true
+
+
```
Persistent
-``` syntax
+```xml
- 10010
-
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/Persistent
-
-
- bool
-
- true
-
-
+ 10010
+
+
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/Persistent
+
+
+ bool
+
+ true
+
+
```
TrafficFilterLIst App
-``` syntax
+```xml
Desktop App
10013
@@ -929,7 +926,7 @@ TrafficFilterLIst App
Protocol, LocalPortRanges, RemotePortRanges, LocalAddressRanges, RemoteAddressRanges, RoutingPolicyType, EDPModeId, RememberCredentials, AlwaysOn, Lockdown, DnsSuffix, TrustedNetworkDetection
-``` syntax
+```xml
Protocol
$CmdID$
@@ -1077,7 +1074,7 @@ Protocol
Proxy - Manual or AutoConfigUrl
-``` syntax
+```xml
Manual
$CmdID$
@@ -1103,7 +1100,7 @@ Manual
Device Compliance - Sso
-``` syntax
+```xml
Enabled
10011
@@ -1143,7 +1140,7 @@ Device Compliance - Sso
PluginProfile
-``` syntax
+```xml
PluginPackageFamilyName
@@ -1181,7 +1178,7 @@ PluginPackageFamilyName
NativeProfile
-``` syntax
+```xml
Servers
10001
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
index 2aa15af132..fbb8abae88 100644
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@@ -344,7 +344,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
## Plug-in profile example
-``` syntax
+```xml
testserver1.contoso.com;testserver2.contoso..com
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index 0a7adafa8c..eff35b4fd4 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -160,7 +160,7 @@ Stores specifies which certificate stores the DM client will search to find the
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following:
-``` syntax
+```xml
```
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index 7db7e01ffb..79992abc08 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -121,7 +121,7 @@ These XML examples show how to perform various tasks using OMA DM.
The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork,' a proxy URL 'testproxy,' and port 80.
-``` syntax
+```xml
@@ -160,7 +160,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor
The following example shows how to query Wi-Fi profiles installed on an MDM server.
-``` syntax
+```xml
301
@@ -173,7 +173,7 @@ The following example shows how to query Wi-Fi profiles installed on an MDM serv
The following example shows the response.
-``` syntax
+```xml
31
@@ -190,17 +190,17 @@ The following example shows the response.
The following example shows how to remove a network with SSID ‘MyNetwork’ and no proxy. Removing all network authentication types is done in this same manner.
-``` syntax
+```xml
- 300
-
- 301
-
-
- ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml
-
-
-
+ 300
+
+ 301
+
+
+ ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml
+
+
+
```
@@ -208,21 +208,21 @@ The following example shows how to remove a network with SSID ‘MyNetwork’ an
The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetwork’ and root CA validation for server certificate.
-``` syntax
+```xml
- 300
-
- 301
-
-
- ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml
-
-
- chr
-
- MyNetworkMyNetworkfalseESSmanualWPA2AEStrueuser2500025true InsertCertThumbPrintHere truefalse26falsefalsefalsetruefalse
-
-
+ 300
+
+ 301
+
+
+ ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml
+
+
+ chr
+
+ MyNetworkMyNetworkfalseESSmanualWPA2AEStrueuser2500025true InsertCertThumbPrintHere truefalse26falsefalsefalsetruefalse
+
+
```
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index f4394c7d54..2570e65b3d 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -11,7 +11,7 @@ ms.reviewer:
manager: dansimp
---
-# Win32CompatibilityAppraiser CSP
+# Win32CompatibilityAppraiser CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index 6ae22efd72..2508fa2863 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -120,7 +120,7 @@ The following list describes the characteristics and parameters.
## Examples
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 0b9e8aa3aa..7831cfbce6 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -30,9 +30,9 @@ Interior node. Supported operation is Get.
**Settings/AllowWindowsDefenderApplicationGuard**
Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
- - 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
- - 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container.
+
+- 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
+- 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container.
**Settings/ClipboardFileType**
Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index f5372d05f6..58a5040b72 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -196,7 +196,7 @@ Values:
**CheckApplicability**
-``` syntax
+```xml
@@ -223,7 +223,7 @@ Values:
**Edition**
-``` syntax
+```xml
@@ -241,7 +241,7 @@ Values:
**LicenseKeyType**
-``` syntax
+```xml
@@ -259,7 +259,7 @@ Values:
**Status**
-``` syntax
+```xml
@@ -277,7 +277,7 @@ Values:
**UpgradeEditionWithProductKey**
-``` syntax
+```xml
@@ -304,7 +304,7 @@ Values:
**UpgradeEditionWithLicense**
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md
index ea9dd8e10a..ffd68aa965 100644
--- a/windows/client-management/mdm/windowssecurityauditing-csp.md
+++ b/windows/client-management/mdm/windowssecurityauditing-csp.md
@@ -39,7 +39,7 @@ Supported operations are Get and Replace.
Enable logging of audit events.
-``` syntax
+```xml
diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
index 4d421e7c6a..b6fb182eae 100644
--- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
@@ -27,7 +27,7 @@ The child node names of the result from a WMI query are separated by a forward s
Get the list of network adapters from the device.
-``` syntax
+```xml
./cimV2/Win32_NetworkAdapter
@@ -37,7 +37,7 @@ Get the list of network adapters from the device.
Result
-``` syntax
+```xml
./cimV2/Win32_NetworkAdapter
diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md
index 945ba0f15a..e90c985fdb 100644
--- a/windows/client-management/reset-a-windows-10-mobile-device.md
+++ b/windows/client-management/reset-a-windows-10-mobile-device.md
@@ -66,7 +66,7 @@ To perform a "wipe and persist" reset, preserving the provisioning applied to th
```
-## Reset using the UI
+## Reset using the UI
1. On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone**
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index 146160c8a3..27b46491dc 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -17,7 +17,7 @@ manager: dansimp
This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer.
-## Causes of the Inaccessible_Boot_Device Stop error
+## Causes of the Inaccessible_Boot_Device Stop error
Any one of the following factors may cause the stop error:
@@ -37,7 +37,7 @@ Any one of the following factors may cause the stop error:
* Corrupted files in the **Boot** partition (for example, corruption in the volume that is labeled **SYSTEM** when you run the `diskpart` > `list vol` command)
-## Troubleshoot this error
+## Troubleshoot this error
Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps.
@@ -47,9 +47,9 @@ Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com
3. On the **System Recovery Options** screen, select **Next** > **Command Prompt** .
-### Verify that the boot disk is connected and accessible
+### Verify that the boot disk is connected and accessible
-#### Step 1
+#### Step 1
At the WinRE Command prompt, run `diskpart`, and then run `list disk`.
@@ -67,7 +67,7 @@ If the computer uses a Unified Extensible Firmware Interface (UEFI) startup inte
If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column.
-#### Step 2
+#### Step 2
If the `list disk` command lists the OS disks correctly, run the `list vol` command in `diskpart`.
@@ -88,7 +88,7 @@ If the `list disk` command lists the OS disks correctly, run the `list vol` comm
>[!NOTE]
>If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer.
-### Verify the integrity of Boot Configuration Database
+### Verify the integrity of Boot Configuration Database
Check whether the Boot Configuration Database (BCD) has all the correct entries. To do this, run `bcdedit` at the WinRE command prompt.
@@ -163,7 +163,7 @@ If you do not have a Windows 10 ISO, you must format the partition and copy **bo
4. Right-click the partition, and then format it.
-### Troubleshooting if this issue occurs after a Windows Update installation
+### Troubleshooting if this issue occurs after a Windows Update installation
Run the following command to verify the Windows update installation and dates:
@@ -171,7 +171,7 @@ Run the following command to verify the Windows update installation and dates:
Dism /Image:: /Get-packages
```
-After you run this command, you will see the **Install pending** and **Uninstall Pending ** packages:
+After you run this command, you will see the **Install pending** and **Uninstall Pending** packages:
@@ -203,9 +203,9 @@ After you run this command, you will see the **Install pending** and **Uninstall
11. Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key.
-### Verifying boot critical drivers and services
+### Verifying boot critical drivers and services
-#### Check services
+#### Check services
1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.)
@@ -235,7 +235,7 @@ ren SYSTEM SYSTEM.old
copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\config\
```
-#### Check upper and lower filter drivers
+#### Check upper and lower filter drivers
Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers:
@@ -268,7 +268,7 @@ The reason that these entries may affect us is because there may be an entry in
>[!NOTE]
>If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error.
-### Running SFC and Chkdsk
+### Running SFC and Chkdsk
If the computer still does not start, you can try to run a **chkdisk** process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt:
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index 26d48d6ccb..0c13fc8950 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -107,8 +107,8 @@ You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that
More information on how to use Dumpchk.exe to check your dump files:
-- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk)
-- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk)
+- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk)
+- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk)
### Pagefile Settings
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md
index 920e5a1ff0..664dc7700e 100644
--- a/windows/client-management/troubleshoot-windows-freeze.md
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@@ -145,8 +145,8 @@ If the computer is no longer frozen and now is running in a good state, use the
Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file was created correctly. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid.
-- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk)
-- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk)
+- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk)
+- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk)
Learn how to use Dumpchk.exe to check your dump files:
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index 3dc34d0551..9790bdb770 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -27,11 +27,11 @@ Employees increasingly depend on smartphones to complete daily work tasks, but t
Windows 10 supports end-to-end device lifecycle management to give companies control over their devices, data, and apps. Devices can easily be incorporated into standard lifecycle practices, from device enrollment, configuration, and application management to maintenance, monitoring, and retirement using a comprehensive mobile device management solution.
**In this article**
-- [Deploy](#deploy)
-- [Configure](#configure)
-- [Apps](#apps)
-- [Manage](#manage)
-- [Retire](#retire)
+- [Deploy](#deploy)
+- [Configure](#configure)
+- [Apps](#apps)
+- [Manage](#manage)
+- [Retire](#retire)
## Deploy
@@ -365,18 +365,18 @@ You can define and deploy APN profiles in MDM systems that configure cellular da
- **APN name** The APN name
- *IP connection type* The IP connection type; set to one of the following values:
- - IPv4 only
- - IPv6 only
- - IPv4 and IPv6 concurrently
- - IPv6 with IPv4 provided by 46xlat
+ - IPv4 only
+ - IPv6 only
+ - IPv4 and IPv6 concurrently
+ - IPv6 with IPv4 provided by 46xlat
- **LTE attached** Whether the APN should be attached as part of an LTE Attach
- **APN class ID** The globally unique identifier that defines the APN class to the modem
- **APN authentication type** The APN authentication type; set to one of the following values:
- - None
- - Auto
- - PAP
- - CHAP
- - MSCHAPv2
+ - None
+ - Auto
+ - PAP
+ - CHAP
+ - MSCHAPv2
- **User name** The user account when users select Password Authentication Protocol (PAP), CHAP, or MSCHAPv2 authentication in APN authentication type
- **Password** The password for the user account specified in User name
- **Integrated circuit card ID** The integrated circuit card ID associated with the cellular connection profile
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 4389cbd5e6..037e389943 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -2,7 +2,7 @@
title: Configure Windows 10 taskbar (Windows 10)
description: Admins can pin apps to users' taskbars.
keywords: ["taskbar layout","pin apps"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index aa221c4b9e..7ac4b1ff90 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -176,7 +176,7 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
2. [Export the Start layout](#export-the-start-layout).
3. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows:
- ``` syntax
+ ```xml
```
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 1ca640e263..af378be469 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -33,6 +33,7 @@
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
+ "audience": "ITPro",
"ms.topic": "article",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index fa57936276..bbe21777b6 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -68,7 +68,7 @@ In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app
Kiosk Browser settings | Use this setting to
--- | ---
-Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.
For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
+Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.
For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs.
Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.
If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index 2cde6940fa..cf28c53e4a 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -16,7 +16,7 @@ ms.author: dansimp
ms.topic: article
---
-# Assigned Access configuration (kiosk) XML reference
+# Assigned Access configuration (kiosk) XML reference
**Applies to**
@@ -26,7 +26,7 @@ ms.topic: article
## Full XML sample
>[!NOTE]
->Updated for Windows 10, version 1903, and Windows 10 Prerelease
+>Updated for Windows 10, version 1903, and Windows 10 Insider Preview (19H2, 20H1 builds).
```xml
@@ -255,7 +255,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
## [Preview] Global Profile Sample XML
-Global Profile is currently supported in Windows 10 Prerelease. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user.
+Global Profile is currently supported in Windows 10 Insider Preview (19H2, 20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user.
This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in
```xml
@@ -394,7 +394,7 @@ Below sample shows dedicated profile and global profile mixed usage, aauser woul
```
## [Preview] Folder Access sample xml
-In Windows 10 1809 release, folder access is locked down that when common file dialog is opened, IT Admin can specify if user has access to the Downloads folder, or no access to any folder at all. This restriction has be redesigned for finer granulatity and easier use, available in current Windows 10 Prerelease.
+In Windows 10, version 1809, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granulatity and easier use, and is available in Windows 10 Insider Preview (19H2, 20H1 builds).
IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Note that Downloads and Removable Drives can be allowed at the same time.
@@ -636,7 +636,7 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
## XSD for AssignedAccess configuration XML
>[!NOTE]
->Updated for Windows 10, version 1903 and Windows 10 Prerelease.
+>Updated for Windows 10, version 1903 and Windows 10 Insider Preview (19H2, 20H1 builds).
Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
```xml
@@ -859,7 +859,7 @@ Here is the schema for new features introduced in Windows 10 1809 release
```
-Schema for Windows 10 prerelease
+Schema for Windows 10 Insider Preview (19H2, 20H1 builds)
```xml
```
-To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
+To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature which is added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
```xml
+
```xml
-<AllAppsList>
- <AllowedApps>
- <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
- <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
- <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
- <App DesktopAppPath="%windir%\system32\mspaint.exe" />
- <App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt"/>
- </AllowedApps>
-</AllAppsList>
+
+
+
+
+
+
+
+
+
+
+
```
##### FileExplorerNamespaceRestrictions
diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
index 5603c46bfa..4ea4c7f814 100644
--- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
+++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
@@ -462,7 +462,7 @@ Quick action buttons are locked down in exactly the same way as Settings pages/g
You can specify the quick actions as follows:
-``` syntax
+```xml
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index bd8806ab06..b825b767ae 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -5,7 +5,7 @@ ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
ms.reviewer:
manager: dansimp
keywords: ["runtime provisioning", "provisioning package"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: dansimp
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index a906cf7e68..cc40946bcb 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -2,7 +2,7 @@
title: Provision PCs with apps and certificates (Windows 10)
description: Create a provisioning package to apply settings to a PC running Windows 10.
keywords: ["runtime provisioning", "provisioning package"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: dansimp
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index b6d2e80dc0..cbcb56ed0d 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -2,7 +2,7 @@
title: Provision PCs with apps (Windows 10)
description: Add apps to a Windows 10 provisioning package.
keywords: ["runtime provisioning", "provisioning package"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: dansimp
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 61ab4d40ae..139dcce1bb 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -2,7 +2,7 @@
title: Set up a shared or guest PC with Windows 10 (Windows 10)
description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios.
keywords: ["shared pc mode"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index b7a9b2ca2d..2e002f5962 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -233,10 +233,10 @@ XML files can and should be tested locally on a Hyper-V or other virtual machine
- User-initiated changes to the start layout are not roamed.
Specifically, behaviors include
- - Applications (apps or icons) pinned to the start menu are missing.
- - Entire tile window disappears.
- - The start button fails to respond.
- - If a new roaming user is created, the first logon appears normal, but on subsequent logons, tiles are missing.
+- Applications (apps or icons) pinned to the start menu are missing.
+- Entire tile window disappears.
+- The start button fails to respond.
+- If a new roaming user is created, the first logon appears normal, but on subsequent logons, tiles are missing.
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index 529e59e779..520de10950 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -53,6 +53,7 @@ The XML schema for `LayoutModification.xml` requires the following order for tag
1. TopMFUApps
1. CustomTaskbarLayoutCollection
1. InkWorkspaceTopApps
+1. StartLayoutCollection
Comments are not supported in the `LayoutModification.xml` file.
@@ -66,6 +67,8 @@ Comments are not supported in the `LayoutModification.xml` file.
>- Do not add multiple rows of comments.
The following table lists the supported elements and attributes for the LayoutModification.xml file.
+> [!NOTE]
+> RequiredStartGroupsCollection and AppendGroup syntax only apply when the Import-StartLayout method is used for building and deploying Windows images.
| Element | Attributes | Description |
| --- | --- | --- |
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index 299ba40be7..156e4af29b 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -241,7 +241,7 @@ Version identifies the version of the settings location template for administrat
**Hint:** You can save notes about version changes using XML comment tags ``, for example:
-``` syntax
+```xml
-
-
-
-
-By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only (specifically, all of the devices must be behind the same NAT), but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
-
-For more details, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md#download-mode).
-
-
-## Set up Delivery Optimization
-
-See [Set up Delivery Optimization](waas-delivery-optimization-setup.md) for suggested values for a number of common scenarios.
-
-You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
-
-You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
-In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
-
-Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows))
-
-**Starting with Windows 10, version 1903,** you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
-
-## Reference
-
-For complete list of every possible Delivery Optimization setting, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
-
-
-## How Microsoft uses Delivery Optimization
-At Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
-
-For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study.
-
-
-
-## Frequently asked questions
-
-**Does Delivery Optimization work with WSUS?**: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
-
-**Which ports does Delivery Optimization use?**: For peer-to-peer traffic, it uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS over port 80/443.
-
-**What are the requirements if I use a proxy?**: You must allow Byte Range requests. See [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update) for details.
-
-**What hostnames should I allow through my firewall to support Delivery Optimization?**:
-
-For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**.
-
-For Delivery Optimization metadata:
-
-- *.dl.delivery.mp.microsoft.com
-- *.emdl.ws.microsoft.com
-
-For the payloads (optional):
-
-- *.download.windowsupdate.com
-- *.windowsupdate.com
-
-**Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
-
-**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimizatio uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
-
-
-## Troubleshooting
-
-This section summarizes common problems and some solutions to try.
-
-### If you don't see any bytes from peers
-
-If you don’t see any bytes coming from peers the cause might be one of the following issues:
-
-- Clients aren’t able to reach the Delivery Optimization cloud services.
-- The cloud service doesn’t see other peers on the network.
-- Clients aren’t able to connect to peers that are offered back from the cloud service.
-
-
-### Clients aren't able to reach the Delivery Optimization cloud services.
-
-If you suspect this is the problem, try these steps:
-
-1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga").
-2. Run `Get-DeliveryOptimizationStatus` from an elevated Powershell window and observe the DownloadMode setting. For peering to work, DownloadMode should be 1, 2, or 3.
-3. If **DownloadMode** is 99 it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization hostnames are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
-
-
-
-### The cloud service doesn't see other peers on the network.
-
-If you suspect this is the problem, try these steps:
-
-1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads.
-2. Run `Get-DeliveryOptimizationStatus` from an elevated Powershell window and ensure that **DownloadMode** is 1 or 2 on both devices.
-3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated Powershell window on the second device. The **NumberOfPeers** field should be non-zero.
-4. If the number of peers is zero and you have **DownloadMode** = 1, ensure that both devices are using the same public IP address to reach the internet. To do this, open a browser Windows and search for “what is my IP”. You can **DownloadMode 2** (Group) and a custom GroupID (Guid) to fix this if the devices aren’t reporting the same public IP address.
-
-
-### Clients aren't able to connect to peers offered by the cloud service
-
-If you suspect this is the problem, try a Telnet test between two devices on the network to ensure they can connect using port 7680. To do this, follow these steps:
-
-1. Install Telnet by running **dism /online /Enable-Feature /FeatureName:TelnetClient** from an elevated command prompt.
-2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run **telnet 192.168.9.17 7680** (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success.
-
-
-
-
-
-## Learn more
-
-[Windows 10, Delivery Optimization, and WSUS](https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/)
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-- [Manage device restarts after updates](waas-restart.md)
+---
+title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
+ms.reviewer:
+manager: laurawi
+description: Delivery Optimization is a peer-to-peer distribution method in Windows 10
+keywords: oms, operations management suite, wdav, updates, downloads, log analytics
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Delivery Optimization for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled).
+
+Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.
+
+
+>[!NOTE]
+>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead.
+
+## Requirements
+
+The following table lists the minimum Windows 10 version that supports Delivery Optimization:
+
+| Device type | Minimum Windows version |
+|------------------|---------------|
+| Computers running Windows 10 | 1511 |
+| Computers running Server Core installations of Windows Server | 1709 |
+| IoT devices | 1803 |
+| HoloLens devices | 1803 |
+
+**Types of download packages supported by Delivery Optimization**
+
+| Download package | Minimum Windows version |
+|------------------|---------------|
+| Windows 10 updates (feature updates and quality updates) | 1511 |
+| Windows 10 drivers | 1511 |
+| Windows Store files | 1511 |
+| Windows Store for Business files | 1511 |
+| Windows Defender definition updates | 1511 |
+| Office Click-to-Run updates | 1709 |
+| Win32 apps for Intune | 1709 |
+| SCCM Express Updates | 1709 + Configuration Manager version 1711 |
+
+
+
+
+
+
+By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only (specifically, all of the devices must be behind the same NAT), but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
+
+For more details, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md#download-mode).
+
+
+## Set up Delivery Optimization
+
+See [Set up Delivery Optimization](waas-delivery-optimization-setup.md) for suggested values for a number of common scenarios.
+
+You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
+
+You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
+In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
+
+Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows))
+
+**Starting with Windows 10, version 1903,** you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
+
+## Reference
+
+For complete list of every possible Delivery Optimization setting, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
+
+
+## How Microsoft uses Delivery Optimization
+At Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
+
+For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study.
+
+
+
+## Frequently asked questions
+
+**Does Delivery Optimization work with WSUS?**: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
+
+**Which ports does Delivery Optimization use?**: For peer-to-peer traffic, it uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS over port 80/443.
+
+**What are the requirements if I use a proxy?**: You must allow Byte Range requests. See [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update) for details.
+
+**What hostnames should I allow through my firewall to support Delivery Optimization?**:
+
+For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**.
+
+For Delivery Optimization metadata:
+
+- *.dl.delivery.mp.microsoft.com
+- *.emdl.ws.microsoft.com
+
+For the payloads (optional):
+
+- *.download.windowsupdate.com
+- *.windowsupdate.com
+
+**Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
+
+**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
+
+
+## Troubleshooting
+
+This section summarizes common problems and some solutions to try.
+
+### If you don't see any bytes from peers
+
+If you don’t see any bytes coming from peers the cause might be one of the following issues:
+
+- Clients aren’t able to reach the Delivery Optimization cloud services.
+- The cloud service doesn’t see other peers on the network.
+- Clients aren’t able to connect to peers that are offered back from the cloud service.
+
+
+### Clients aren't able to reach the Delivery Optimization cloud services.
+
+If you suspect this is the problem, try these steps:
+
+1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga").
+2. Run `Get-DeliveryOptimizationStatus` from an elevated Powershell window and observe the DownloadMode setting. For peering to work, DownloadMode should be 1, 2, or 3.
+3. If **DownloadMode** is 99 it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization hostnames are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
+
+
+
+### The cloud service doesn't see other peers on the network.
+
+If you suspect this is the problem, try these steps:
+
+1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads.
+2. Run `Get-DeliveryOptimizationStatus` from an elevated Powershell window and ensure that **DownloadMode** is 1 or 2 on both devices.
+3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated Powershell window on the second device. The **NumberOfPeers** field should be non-zero.
+4. If the number of peers is zero and you have **DownloadMode** = 1, ensure that both devices are using the same public IP address to reach the internet. To do this, open a browser Windows and search for “what is my IP”. You can **DownloadMode 2** (Group) and a custom GroupID (Guid) to fix this if the devices aren’t reporting the same public IP address.
+
+
+### Clients aren't able to connect to peers offered by the cloud service
+
+If you suspect this is the problem, try a Telnet test between two devices on the network to ensure they can connect using port 7680. To do this, follow these steps:
+
+1. Install Telnet by running **dism /online /Enable-Feature /FeatureName:TelnetClient** from an elevated command prompt.
+2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run **telnet 192.168.9.17 7680** (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success.
+
+
+
+
+
+## Learn more
+
+[Windows 10, Delivery Optimization, and WSUS](https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/)
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
index d9effb684b..30023d81bb 100644
--- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
+++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
@@ -1,74 +1,74 @@
----
-title: Build deployment rings for Windows 10 updates (Windows 10)
-description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.date: 07/11/2018
-ms.reviewer:
-manager: laurawi
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Build deployment rings for Windows 10 updates
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different.
-
-Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings.
-
-Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary.
-
-Table 1 provides an example of the deployment rings you might use.
-
-**Table 1**
-
-| Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example |
-| --- | --- | --- | --- | --- |
-| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the semi-annual channel |
-| Targeted | Semi-annual channel (Targeted) | None | None | Select devices across various teams used to evaluate the major release prior to broad deployment |
-| Broad | Semi-annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedbackPause updates if there are critical issues |
-| Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization |
-
->[!NOTE]
->In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates.
-
-
-As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense.
-
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | Build deployment rings for Windows 10 updates (this topic) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
-
+---
+title: Build deployment rings for Windows 10 updates (Windows 10)
+description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Build deployment rings for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+> [!NOTE]
+> We're in the process of updating this topic with more definitive guidance. In the meantime, see [this post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979) on the Windows 10 IT Pro blog for some great suggestions for a deployment ring structure.
+
+For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different.
+
+Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings.
+
+Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary.
+
+Table 1 provides an example of the deployment rings you might use.
+
+**Table 1**
+
+| Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example |
+| --- | --- | --- | --- | --- |
+| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the semi-annual channel |
+| Broad | Semi-annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedbackPause updates if there are critical issues |
+| Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization |
+
+>[!NOTE]
+>In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates.
+
+
+As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense.
+
+
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | Build deployment rings for Windows 10 updates (this topic) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Manage device restarts after updates](waas-restart.md)
+
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 5cf9e1b52e..1bc196ce0e 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -1,116 +1,115 @@
----
-title: Integrate Windows Update for Business with management solutions (Windows 10)
-description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.date: 07/27/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Integrate Windows Update for Business with management solutions
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
-
-## Integrate Windows Update for Business with Windows Server Update Services
-
-
-For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
-
-- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
-- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies
-
-### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
-
-**Configuration:**
-
-- Device is configured to defer Windows Quality Updates using Windows Update for Business
-- Device is also configured to be managed by WSUS
-- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
-- Admin has opted to put updates to Office and other products on WSUS
-- Admin has also put 3rd party drivers on WSUS
-
-
Content
Metadata source
Payload source
Deferred?
-
Updates to Windows
Windows Update
Windows Update
Yes
-
Updates to Office and other products
WSUS
WSUS
No
-
Third-party drivers
WSUS
WSUS
No
-
-
-### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business
-
-**Configuration:**
-
-- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled)
-- Device is also configured to be managed by WSUS
-- Admin has opted to put Windows Update drivers on WSUS
-
-
-
Content
Metadata source
Payload source
Deferred?
-
Updates to Windows (excluding drivers)
Windows Update
Windows Update
Yes
-
Updates to Office and other products
WSUS
WSUS
No
-
Drivers
WSUS
WSUS
No
-
-
-
-### Configuration example \#3: Device configured to receive Microsoft updates
-
-**Configuration:**
-
-- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
-- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
-- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server
-
-In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
-- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.
-- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied.
-
-
-
Content
Metadata source
Payload source
Deferred?
-
Updates to Windows (excluding drivers)
Microsoft Update
Microsoft Update
Yes
-
Updates to Office and other products
Microsoft Update
Microsoft Update
No
-
Drivers, third-party applications
WSUS
WSUS
No
-
-
->[!NOTE]
-> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
-
-## Integrate Windows Update for Business with System Center Configuration Manager
-
-For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
-
-
-
-For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-- [Manage device restarts after updates](waas-restart.md)
-
+---
+title: Integrate Windows Update for Business with management solutions (Windows 10)
+description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.author: greglin
+ms.date: 07/27/2017
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Integrate Windows Update for Business with management solutions
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+
+## Integrate Windows Update for Business with Windows Server Update Services
+
+
+For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
+
+- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
+- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies
+
+### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
+
+**Configuration:**
+
+- Device is configured to defer Windows Quality Updates using Windows Update for Business
+- Device is also configured to be managed by WSUS
+- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
+- Admin has opted to put updates to Office and other products on WSUS
+- Admin has also put 3rd party drivers on WSUS
+
+
Content
Metadata source
Payload source
Deferred?
+
Updates to Windows
Windows Update
Windows Update
Yes
+
Updates to Office and other products
WSUS
WSUS
No
+
Third-party drivers
WSUS
WSUS
No
+
+
+### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business
+
+**Configuration:**
+
+- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled)
+- Device is also configured to be managed by WSUS
+- Admin has opted to put Windows Update drivers on WSUS
+
+
+
Content
Metadata source
Payload source
Deferred?
+
Updates to Windows (excluding drivers)
Windows Update
Windows Update
Yes
+
Updates to Office and other products
WSUS
WSUS
No
+
Drivers
WSUS
WSUS
No
+
+
+
+### Configuration example \#3: Device configured to receive Microsoft updates
+
+**Configuration:**
+
+- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
+- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
+- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server
+
+In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
+- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.
+- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied.
+
+
+
Content
Metadata source
Payload source
Deferred?
+
Updates to Windows (excluding drivers)
Microsoft Update
Microsoft Update
Yes
+
Updates to Office and other products
Microsoft Update
Microsoft Update
No
+
Drivers, third-party applications
WSUS
WSUS
No
+
+
+>[!NOTE]
+> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
+
+## Integrate Windows Update for Business with System Center Configuration Manager
+
+For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
+
+
+
+For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
+
diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
index 13b782b7e4..5ab254f79d 100644
--- a/windows/deployment/update/waas-manage-updates-configuration-manager.md
+++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md
@@ -1,334 +1,332 @@
----
-title: Deploy Windows 10 updates using System Center Configuration Manager (Windows 10)
-description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.date: 10/16/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Deploy Windows 10 updates using System Center Configuration Manager
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-
-System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
-
-You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.
-
->[!NOTE]
->This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
-
-## Windows 10 servicing dashboard
-
-The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
-
-For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements:
-
-- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
-- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
-- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
-- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
-
- **To configure Upgrade classification**
-
- 1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list.
-
- 2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**.
-
- 
-
- 3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**.
-
-When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard.
-
-## Create collections for deployment rings
-
-Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users.
-
->[!NOTE]
->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
-
-**To create collections for deployment rings**
-
-1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
-
-2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
-
-3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**.
-
-4. Click **Browse** to select the limiting collection, and then click **All Systems**.
-
-5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**.
-
-6. Name the rule **CBB Detection**, and then click **Edit Query Statement**.
-
-7. On the **Criteria** tab, click the **New** icon.
-
- 
-
-8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**.
-
-9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**.
-
- 
-
- >[!NOTE]
- >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**.
-
-10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**.
-
- 
-
-11. Now that the **OSBranch** attribute is correct, verify the operating system version.
-
-12. On the **Criteria** tab, click the **New** icon again to add criteria.
-
-13. In the **Criterion Properties** dialog box, click **Select**.
-
-14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**.
-
- 
-
-15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**.
-
- 
-
-16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard.
-
-17. Click **Summary**, and then click **Next**.
-
-18. Close the wizard.
-
->[!IMPORTANT]
->Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds.
-
-After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences.
-
-1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
-
-2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
-
-3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**.
-
-4. Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**.
-
-5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**.
-
-6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**.
-
-7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**.
-
-8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**.
-
-9. Click **Next**, and then click **Close**.
-
-10. In the **Create Device Collection Wizard** dialog box, click **Summary**.
-
-11. Click **Next**, and then click **Close**.
-
-
-## Use Windows 10 servicing plans to deploy Windows 10 feature updates
-
-There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
-
-**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan**
-
-1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**.
-
-2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**.
-
-3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**.
-
-4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**.
-
- >[!IMPORTANT]
- >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message.
- >
- >
- >
- >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
-
-5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
-
- Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB.
-
- On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**.
-
-6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank.
-
-7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline.
-
-8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**.
-
- Doing so allows installation and restarts after the 7-day deadline on workstations only.
-
-9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**.
-
- In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates.
-
- 
-
-10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**.
-
- 
-
- Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**.
-
-11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**.
-
-
-You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab.
-
-
-
-
-## Use a task sequence to deploy Windows 10 updates
-
-There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
-
-- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
-- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments.
-
-Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console:
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages.
-
-2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**.
-
-3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**.
-
- In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
-
- >[!NOTE]
- >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607.
-
-4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
-
-5. On the **Summary** page, click **Next** to create the package.
-
-6. On the **Completion** page, click **Close**.
-
-Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points:
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package.
-
-2. On the Ribbon, in the **Deployment group**, click **Distribute Content**.
-
-3. In the Distribute Content Wizard, on the **General** page, click **Next**.
-
-4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**.
-
-5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**.
-
-6. On the **Content Destination** page, click **Next**.
-
-7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point.
-
-8. On the **Completion** page, click **Close**.
-
-Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package:
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
-
-2. On the Ribbon, in the **Create** group, click **Create Task Sequence**.
-
-3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
-
-4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**.
-
-5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**.
-
-6. Click **Next**.
-
-7. On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**.
-
-8. On the **Install Applications** page, click **Next**.
-
-9. On the **Summary** page, click **Next** to create the task sequence.
-
-10. On the **Completion** page, click **Close**.
-
-With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**.
-
->[!IMPORTANT]
->This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully.
-
-**To deploy your task sequence**
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence.
-
-2. On the Ribbon, in the **Deployment** group, click **Deploy**.
-
-3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**.
-
-4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**.
-
-5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**.
-
-6. In the **Assignment Schedule** dialog box, click **Schedule**.
-
-7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**.
-
-8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**.
-
-9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**.
-
-10. Use the defaults for the remaining settings.
-
-11. Click **Summary**, and then click **Next** to deploy the task sequence.
-
-12. Click **Close**.
-
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or Deploy Windows 10 updates using System Center Configuration Manager (this topic) |
-
-## See also
-
-[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service)
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage device restarts after updates](waas-restart.md)
-
+---
+title: Deploy Windows 10 updates using System Center Configuration Manager (Windows 10)
+description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Deploy Windows 10 updates using System Center Configuration Manager
+
+
+**Applies to**
+
+- Windows 10
+
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+
+
+System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
+
+You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.
+
+>[!NOTE]
+>This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
+
+## Windows 10 servicing dashboard
+
+The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
+
+For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements:
+
+- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
+- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
+- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
+- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
+
+ **To configure Upgrade classification**
+
+ 1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list.
+
+ 2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**.
+
+ 
+
+ 3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**.
+
+When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard.
+
+## Create collections for deployment rings
+
+Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users.
+
+>[!NOTE]
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+
+**To create collections for deployment rings**
+
+1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
+
+2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
+
+3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**.
+
+4. Click **Browse** to select the limiting collection, and then click **All Systems**.
+
+5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**.
+
+6. Name the rule **CBB Detection**, and then click **Edit Query Statement**.
+
+7. On the **Criteria** tab, click the **New** icon.
+
+ 
+
+8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**.
+
+9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**.
+
+ 
+
+ >[!NOTE]
+ >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**.
+
+10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**.
+
+ 
+
+11. Now that the **OSBranch** attribute is correct, verify the operating system version.
+
+12. On the **Criteria** tab, click the **New** icon again to add criteria.
+
+13. In the **Criterion Properties** dialog box, click **Select**.
+
+14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**.
+
+ 
+
+15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**.
+
+ 
+
+16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard.
+
+17. Click **Summary**, and then click **Next**.
+
+18. Close the wizard.
+
+>[!IMPORTANT]
+>Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds.
+
+After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences.
+
+1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
+
+2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
+
+3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**.
+
+4. Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**.
+
+5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**.
+
+6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**.
+
+7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**.
+
+8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**.
+
+9. Click **Next**, and then click **Close**.
+
+10. In the **Create Device Collection Wizard** dialog box, click **Summary**.
+
+11. Click **Next**, and then click **Close**.
+
+
+## Use Windows 10 servicing plans to deploy Windows 10 feature updates
+
+There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
+
+**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan**
+
+1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**.
+
+2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**.
+
+3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**.
+
+4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**.
+
+ >[!IMPORTANT]
+ >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message.
+ >
+ >
+ >
+ >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
+
+5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
+
+ Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB.
+
+ On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**.
+
+6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank.
+
+7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline.
+
+8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**.
+
+ Doing so allows installation and restarts after the 7-day deadline on workstations only.
+
+9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**.
+
+ In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates.
+
+ 
+
+10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**.
+
+ 
+
+ Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**.
+
+11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**.
+
+
+You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab.
+
+
+
+
+## Use a task sequence to deploy Windows 10 updates
+
+There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
+
+- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
+- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments.
+
+Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages.
+
+2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**.
+
+3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**.
+
+ In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
+
+ >[!NOTE]
+ >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607.
+
+4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
+
+5. On the **Summary** page, click **Next** to create the package.
+
+6. On the **Completion** page, click **Close**.
+
+Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package.
+
+2. On the Ribbon, in the **Deployment group**, click **Distribute Content**.
+
+3. In the Distribute Content Wizard, on the **General** page, click **Next**.
+
+4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**.
+
+5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**.
+
+6. On the **Content Destination** page, click **Next**.
+
+7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point.
+
+8. On the **Completion** page, click **Close**.
+
+Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
+
+2. On the Ribbon, in the **Create** group, click **Create Task Sequence**.
+
+3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
+
+4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**.
+
+5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**.
+
+6. Click **Next**.
+
+7. On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**.
+
+8. On the **Install Applications** page, click **Next**.
+
+9. On the **Summary** page, click **Next** to create the task sequence.
+
+10. On the **Completion** page, click **Close**.
+
+With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**.
+
+>[!IMPORTANT]
+>This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully.
+
+**To deploy your task sequence**
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence.
+
+2. On the Ribbon, in the **Deployment** group, click **Deploy**.
+
+3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**.
+
+4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**.
+
+5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**.
+
+6. In the **Assignment Schedule** dialog box, click **Schedule**.
+
+7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**.
+
+8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**.
+
+9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**.
+
+10. Use the defaults for the remaining settings.
+
+11. Click **Summary**, and then click **Next** to deploy the task sequence.
+
+12. Click **Close**.
+
+
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or Deploy Windows 10 updates using System Center Configuration Manager (this topic) |
+
+## See also
+
+[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service)
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage device restarts after updates](waas-restart.md)
+
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index f9c378860b..4df1a782b7 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -1,360 +1,360 @@
----
-title: Deploy Windows 10 updates using Windows Server Update Services (Windows 10)
-description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.date: 10/16/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Deploy Windows 10 updates using Windows Server Update Services (WSUS)
-
-
-**Applies to**
-
-- Windows 10
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-
-WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
-
-When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
-
-
-
-## Requirements for Windows 10 servicing with WSUS
-
-To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server.
-
-## WSUS scalability
-
-To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx).
-
-
-## Express Installation Files
-
-With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*.
-
- At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered.
-
- **To configure WSUS to download Express Update Files**
-
-1. Open the WSUS Administration Console.
-
-2. In the navigation pane, go to *Your_Server*\\**Options**.
-
-3. In the **Options** section, click **Update Files and Languages**.
-
- 
-
-4. In the **Update Files and Languages** dialog box, select **Download express installation files**.
-
- 
-
- >[!NOTE]
- >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative.
-
-## Configure automatic updates and update service location
-
-When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain.
-
-**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment**
-
-1. Open GPMC.
-
-2. Expand Forest\Domains\\*Your_Domain*.
-
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
-
- 
-
- >[!NOTE]
- >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
-
-4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**.
-
-5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
-
-6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
-
-7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
-
- 
-
-8. In the **Configure Automatic Updates** dialog box, select **Enable**.
-
-9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
-
- 
-
- > [!NOTE]
- > ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
-
-10. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**.
-
-11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
-
-12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then click **OK**.
-
- >[!NOTE]
- >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
-
- 
-
- >[!NOTE]
- >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**.
-
-As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
-
-## Create computer groups in the WSUS Administration Console
-
->[!NOTE]
->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
-
-You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
-
-**To create computer groups in the WSUS Administration Console**
-
-1. Open the WSUS Administration Console.
-
-2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**.
-
- 
-
-3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
-
-4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups.
-
-Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
-
-
-## Use the WSUS Administration Console to populate deployment rings
-
-Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
-
-In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers.
-
-### Manually assign unassigned computers to groups
-
-When new computers communicate with WSUS, they appear in the **Unassigned Computers** group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups.
-
-**To assign computers manually**
-
-1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
-
- Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
-
-2. Select both computers, right-click the selection, and then click **Change Membership**.
-
- 
-
-3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
-
- Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
-
-### Search for multiple computers to add to groups
-
-Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature.
-
-**To search for multiple computers**
-
-1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
-
-2. In the search box, type **WIN10**.
-
-3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
-
- 
-
-4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
-
-You can now see these computers in the **Ring 3 Broad IT** computer group.
-
-
-
-## Use Group Policy to populate deployment rings
-
-The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment.
-
-**To configure WSUS to allow client-side targeting from Group Policy**
-
-1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
-
- 
-
-2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
-
- >[!NOTE]
- >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
-
-Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting:
-
-**To configure client-side targeting**
-
->[!TIP]
->When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
-
-1. Open GPMC.
-
-2. Expand Forest\Domains\\*Your_Domain*.
-
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
-
-4. In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO.
-
-5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
-
- 
-
-6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
-
-7. Right-click **Enable client-side targeting**, and then click **Edit**.
-
-8. In the **Enable client-side targeting** dialog box, select **Enable**.
-
-9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added.
-
- 
-
-10. Close the Group Policy Management Editor.
-
-Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
-
-**To scope the GPO to a group**
-
-1. In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy.
-
-2. Click the **Scope** tab.
-
-3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
-
- 
-
-The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring.
-
-## Automatically approve and deploy feature updates
-
-For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
-
->[!NOTE]
->WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
-
-**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
-
-1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
-
-2. On the **Update Rules** tab, click **New Rule**.
-
-3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
-
- 
-
-4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
-
-5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
-
- Windows 10 is under All Products\Microsoft\Windows.
-
-6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
-
-7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
-
-8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
-
- 
-
-9. In the **Automatic Approvals** dialog box, click **OK**.
-
- >[!NOTE]
- >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
-
-Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
-
-## Manually approve and deploy feature updates
-
-You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
-
-**To approve and deploy feature updates manually**
-
-1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
-
-2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
-
-3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
-
-4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
-
- Windows 10 is under All Products\Microsoft\Windows.
-
-5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
-
- 
-
-Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
-
-1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
-
-2. Right-click the feature update you want to deploy, and then click **Approve**.
-
- 
-
-3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
-
- 
-
-4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**.
-
- 
-
-5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
-
- If the deployment is successful, you should receive a successful progress report.
-
- 
-
-6. In the **Approval Progress** dialog box, click **Close**.
-
-
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows 10 updates using Windows Server Update Services (this topic)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
-
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-- [Manage device restarts after updates](waas-restart.md)
+---
+title: Deploy Windows 10 updates using Windows Server Update Services (Windows 10)
+description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.author: greglin
+ms.date: 10/16/2017
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Deploy Windows 10 updates using Windows Server Update Services (WSUS)
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
+WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
+
+When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
+
+
+
+## Requirements for Windows 10 servicing with WSUS
+
+To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server.
+
+## WSUS scalability
+
+To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx).
+
+
+## Express Installation Files
+
+With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*.
+
+ At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered.
+
+ **To configure WSUS to download Express Update Files**
+
+1. Open the WSUS Administration Console.
+
+2. In the navigation pane, go to *Your_Server*\\**Options**.
+
+3. In the **Options** section, click **Update Files and Languages**.
+
+ 
+
+4. In the **Update Files and Languages** dialog box, select **Download express installation files**.
+
+ 
+
+ >[!NOTE]
+ >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative.
+
+## Configure automatic updates and update service location
+
+When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain.
+
+**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment**
+
+1. Open GPMC.
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+ 
+
+ >[!NOTE]
+ >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
+
+4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**.
+
+5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
+
+ 
+
+8. In the **Configure Automatic Updates** dialog box, select **Enable**.
+
+9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
+
+ 
+
+ > [!NOTE]
+ > ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
+
+10. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**.
+
+11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
+
+12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then click **OK**.
+
+ >[!NOTE]
+ >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
+
+ 
+
+ >[!NOTE]
+ >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**.
+
+As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
+
+## Create computer groups in the WSUS Administration Console
+
+>[!NOTE]
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+
+You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
+
+**To create computer groups in the WSUS Administration Console**
+
+1. Open the WSUS Administration Console.
+
+2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**.
+
+ 
+
+3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
+
+4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups.
+
+Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
+
+
+## Use the WSUS Administration Console to populate deployment rings
+
+Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
+
+In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers.
+
+### Manually assign unassigned computers to groups
+
+When new computers communicate with WSUS, they appear in the **Unassigned Computers** group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups.
+
+**To assign computers manually**
+
+1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
+
+ Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
+
+2. Select both computers, right-click the selection, and then click **Change Membership**.
+
+ 
+
+3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
+
+ Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
+
+### Search for multiple computers to add to groups
+
+Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature.
+
+**To search for multiple computers**
+
+1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
+
+2. In the search box, type **WIN10**.
+
+3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
+
+ 
+
+4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
+
+You can now see these computers in the **Ring 3 Broad IT** computer group.
+
+
+
+## Use Group Policy to populate deployment rings
+
+The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment.
+
+**To configure WSUS to allow client-side targeting from Group Policy**
+
+1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
+
+ 
+
+2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
+
+ >[!NOTE]
+ >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
+
+Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting:
+
+**To configure client-side targeting**
+
+>[!TIP]
+>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
+
+1. Open GPMC.
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO.
+
+5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
+
+ 
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+7. Right-click **Enable client-side targeting**, and then click **Edit**.
+
+8. In the **Enable client-side targeting** dialog box, select **Enable**.
+
+9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added.
+
+ 
+
+10. Close the Group Policy Management Editor.
+
+Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
+
+**To scope the GPO to a group**
+
+1. In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy.
+
+2. Click the **Scope** tab.
+
+3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
+
+ 
+
+The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring.
+
+## Automatically approve and deploy feature updates
+
+For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
+
+>[!NOTE]
+>WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+
+**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
+
+2. On the **Update Rules** tab, click **New Rule**.
+
+3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
+
+ 
+
+4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
+
+5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
+
+ Windows 10 is under All Products\Microsoft\Windows.
+
+6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
+
+7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
+
+8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
+
+ 
+
+9. In the **Automatic Approvals** dialog box, click **OK**.
+
+ >[!NOTE]
+ >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
+
+Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+
+## Manually approve and deploy feature updates
+
+You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
+
+**To approve and deploy feature updates manually**
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
+
+2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
+
+3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
+
+4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
+
+ Windows 10 is under All Products\Microsoft\Windows.
+
+5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
+
+ 
+
+Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
+
+2. Right-click the feature update you want to deploy, and then click **Approve**.
+
+ 
+
+3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
+
+ 
+
+4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**.
+
+ 
+
+5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
+
+ If the deployment is successful, you should receive a successful progress report.
+
+ 
+
+6. In the **Approval Progress** dialog box, click **Close**.
+
+
+
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows 10 updates using Windows Server Update Services (this topic)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 60a512e49c..b80b9132c8 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -126,7 +126,7 @@ For more information about Update Compliance, see [Monitor Windows Updates using
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md
index a968d2c48c..78594a2262 100644
--- a/windows/deployment/update/waas-mobile-updates.md
+++ b/windows/deployment/update/waas-mobile-updates.md
@@ -1,94 +1,78 @@
----
-title: Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10)
-description: tbd
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.date: 07/27/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile
-
-
-**Applies to**
-
-- Windows 10 Mobile
-- [Windows 10 IoT Mobile](https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot)
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
->[!TIP]
->If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first.
-
-Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB.
-
-[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)
-
-
-
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-
-| Windows 10 edition | CB | CBB | Insider Program |
-| --- | --- | --- | --- | --- |
-| Mobile |  |  |  |
-| Mobile Enterprise |  |  |  |
-| IoT Mobile |  |  |  |
-
-
-
-Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to Quality Updates only. That is, Windows Mobile Feature Updates are categorized the same as Quality Updates, and can only be deferred by setting the Quality Update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile.
-
-## Windows 10, version 1511
-
-Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile:
-
-- ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade
-- ../Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod
-- ../Vendor/MSFT/Policy/Config/Update/PauseDeferrals
-
-To defer the update period or pause deferrals, the device must be configured for CBB servicing branch by applying the **RequireDeferredUpgrade** policy.
-
-## Windows 10, version 1607
-
-Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile:
-
-- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
-- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays
-- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates
-
-In version 1607, you can defer and pause updates for devices on both the CB and CBB servicing branches.
-
-If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, version 1511, has Windows Update for Business policies applied and is then updated to version 1607, version 1511 policies continue to apply until version 1607 policies are applied.
-
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-- [Manage device restarts after updates](waas-restart.md)
-
-
-
+---
+title: Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile
+
+
+**Applies to**
+
+- Windows 10 Mobile
+- [Windows 10 IoT Mobile](https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot)
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!TIP]
+>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first.
+
+Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual Channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program).
+
+[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)
+
+
+
+| Windows 10 edition | Semi-annual Channel | Insider Program |
+| --- | --- | --- | --- |
+| Mobile |  |  |
+| Mobile Enterprise |  |  |
+| IoT Mobile |  |  |
+
+
+
+Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to quality updates only. That is, Windows Mobile feature updates are categorized the same as quality updates, and can only be deferred by setting the quality update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile.
+
+
+## Windows 10, version 1607
+
+Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile:
+
+- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
+- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays
+- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates
+
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
+
+
+
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index b620db134e..08ff7d66a5 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -1,111 +1,111 @@
----
-title: Optimize update delivery for Windows 10 updates (Windows 10)
-description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Optimize Windows 10 update delivery
-
-
-**Applies to**
-
-- Windows 10
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10.
-
-Two methods of peer-to-peer content distribution are available in Windows 10.
-
-- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
-
- Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
-
-- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
-
- >[!NOTE]
- >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
-
- Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
-
-
-
-| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
-| --- | --- | --- | --- | --- |
-| Delivery Optimization |  |  |  |  |
-| BranchCache |  |  | |  |
-
->[!NOTE]
->System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache).
->
->In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx).
-
-## Express update delivery
-
-Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
-
->[!NOTE]
->Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
-
-### How Microsoft supports Express
-- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
-- **Express on WSUS Standalone**
-
- Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
-- **Express on devices directly connected to Windows Update**
-- **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration.
-
-### How Express download works
-
-For OS updates that support Express, there are two versions of the file payload stored on the service:
-1. **Full-file version** - essentially replacing the local versions of the update binaries.
-2. **Express version** - containing the deltas needed to patch the existing binaries on the device.
-
-Both the full-file version and the Express version are referenced in the update's metadata, which has been downloaded to the client as part of the scan phase.
-
-**Express download works as follows:**
-
-The Windows Update client will try to download Express first, and under certain situations fall back to full-file if needed (for example, if going through a proxy that doesn't support byte range requests).
-
-1. When the Windows Update client initiates an Express download, **Windows Update first downloads a stub**, which is part of the Express package.
-2. **The Windows Update client passes this stub to the Windows installer**, which uses the stub to do a local inventory, comparing the deltas of the file on the device with what is needed to get to the latest version of the file being offered.
-3. **The Windows installer then requests the Windows Update client to download the ranges**, which have been determined to be required.
-4. **The client downloads these ranges and passes them to the Windows Installer**, which applies the ranges and then determines if additional ranges are needed. This repeats until the Windows installer tells the Windows Update client that all necessary ranges have been downloaded.
-
-At this point, the download is complete and the update is ready to be installed.
-
->[!TIP]
->Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates.
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | Optimize update delivery for Windows 10 updates (this topic) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
-
-
-## Related topics
-
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
+---
+title: Optimize update delivery for Windows 10 updates (Windows 10)
+description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.author: greg-lindsay
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Optimize Windows 10 update delivery
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10.
+
+Two methods of peer-to-peer content distribution are available in Windows 10.
+
+- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
+
+ Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
+
+- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
+
+ >[!NOTE]
+ >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
+
+ Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
+
+
+
+| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
+| --- | --- | --- | --- | --- |
+| Delivery Optimization |  |  |  |  |
+| BranchCache |  |  | |  |
+
+>[!NOTE]
+>System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache).
+>
+>In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx).
+
+## Express update delivery
+
+Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
+
+>[!NOTE]
+>Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
+
+### How Microsoft supports Express
+- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
+- **Express on WSUS Standalone**
+
+ Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
+- **Express on devices directly connected to Windows Update**
+- **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration.
+
+### How Express download works
+
+For OS updates that support Express, there are two versions of the file payload stored on the service:
+1. **Full-file version** - essentially replacing the local versions of the update binaries.
+2. **Express version** - containing the deltas needed to patch the existing binaries on the device.
+
+Both the full-file version and the Express version are referenced in the update's metadata, which has been downloaded to the client as part of the scan phase.
+
+**Express download works as follows:**
+
+The Windows Update client will try to download Express first, and under certain situations fall back to full-file if needed (for example, if going through a proxy that doesn't support byte range requests).
+
+1. When the Windows Update client initiates an Express download, **Windows Update first downloads a stub**, which is part of the Express package.
+2. **The Windows Update client passes this stub to the Windows installer**, which uses the stub to do a local inventory, comparing the deltas of the file on the device with what is needed to get to the latest version of the file being offered.
+3. **The Windows installer then requests the Windows Update client to download the ranges**, which have been determined to be required.
+4. **The client downloads these ranges and passes them to the Windows Installer**, which applies the ranges and then determines if additional ranges are needed. This repeats until the Windows installer tells the Windows Update client that all necessary ranges have been downloaded.
+
+At this point, the download is complete and the update is ready to be installed.
+
+>[!TIP]
+>Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates.
+
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+|  | Optimize update delivery for Windows 10 updates (this topic) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+## Related topics
+
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index d5142a89da..4396b9d4b7 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -1,218 +1,210 @@
----
-title: Overview of Windows as a service (Windows 10)
-description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 09/24/2018
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Overview of Windows as a service
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-- Windows 10 IoT Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
-
-Click the following Microsoft Mechanics video for an overview of the release model, particularly the Semi-Annual Channel.
-
-
-[](https://youtu.be/qSAsiM01GOU)
-
-## Building
-
-Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two times per year, around March and September, to help address these issues.
-
-In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
-
-Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider).
-
-Of course Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
-
-## Deploying
-
-Deploying Windows 10 is simpler than with previous versions of Windows. When migrating from earlier versions of Windows, an easy in-place upgrade process can be used to automatically preserve all apps, settings, and data. And once running Windows 10, deployment of Windows 10 feature updates will be equally simple.
-
-One of the biggest challenges for organizations when it comes to deploying a new version of Windows is compatibility testing. Whereas compatibility was previously a concern for organizations upgrading to a new version of Windows, Windows 10 is compatible with most hardware and software capable of running on Windows 7 or later. Because of this high level of compatibility, the app compatibility testing process can be greatly simplified.
-
-### Application compatibility
-
-Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. With Windows 10, application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously. Microsoft understands the challenges organizations experienced when they migrated from the Windows XP operating system to Windows 7 and has been working to make Windows 10 upgrades a much better experience.
-
-Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
-
-For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. If it’s unclear whether an application is compatible with Windows 10, IT pros can either consult with the ISV or check the supported software directory at [http://www.readyforwindows.com](http://www.readyforwindows.com).
-
-### Device compatibility
-
-Device compatibility in Windows 10 is also very strong; new hardware is not needed for Windows 10 as any device capable of running Windows 7 or later can run Windows 10. In fact, the minimum hardware requirements to run Windows 10 are the same as those required for Windows 7. Most hardware drivers that functioned in Windows 8.1, Windows 8, or Windows 7 will continue to function in Windows 10.
-
-## Servicing
-
-Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality twice per year, and quality updates that provide security and reliability fixes at least once a month.
-
-With Windows 10, organizations will need to change the way they approach deploying updates. Servicing channels are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing channels comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing channel to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing channels and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
-
-For information about each servicing tool available for Windows 10, see [Servicing tools](#servicing-tools).
-
-To align with this new update delivery model, Windows 10 has three servicing channels, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing channels available in Windows 10, see [Servicing channels](#servicing-channels).
-
-### Naming changes
-
-As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting common terminology to make it as easy as possible to understand the servicing process. Going forward, these are the new terms we will be using:
-* Semi-Annual Channel - We will be referring to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel".
-* Long-Term Servicing Channel - The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC).
-
->[!IMPORTANT]
->With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For more information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747).
-
->[!NOTE]
->For additional information, see the section about [Servicing Channels](#servicing-channels).
->
->You can also read the blog post [Waas simplified and aligned](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change.
-
->[!IMPORTANT]
->Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
-
-### Feature updates
-
-With Windows 10, Microsoft will package new features into feature updates that can be deployed using existing management tools. Because feature updates are delivered more frequently than with previous Windows releases — twice per year, around March and September, rather than every 3–5 years — changes will be in bite-sized chunks rather than all at once and end user readiness time much shorter.
-
->[!TIP]
-> The feature update cadence has been aligned with Office 365 ProPlus updates. Starting with this falls' update, both Windows and Office will deliver their major updates semi-annually, around March and September. See [upcoming changes to Office 365 ProPlus update management](https://support.office.com/article/Overview-of-the-upcoming-changes-to-Office-365-ProPlus-update-management-78b33779-9356-4cdf-9d2c-08350ef05cca) for more information about changes to Office update management.
-
-### Quality updates
-
-Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
-
-In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
-
-**Figure 1**
-
-
-
-
-
-## Servicing channels
-
-To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity.
-
-With that in mind, Windows 10 offers 3 servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
-
-The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
-
->[!NOTE]
->Servicing channels are not the only way to separate groups of devices when consuming updates. Each channel can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing channels, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
-
-### Semi-Annual Channel
-
-In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Windows 10, version 1607 and onward, includes more servicing tools that can delay feature updates for up to 365 days. This servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
-
-When Microsoft officially releases a feature update for Windows 10, it is made available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
-
-
-Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases. All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release.
-
-> [!NOTE]
-> All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607, 1703, 1709 and 1803. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18 month lifecycle.
->
->
-> [!NOTE]
-> Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
-
-### Long-term Servicing Channel
-
-Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
-
->[!NOTE]
->Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
->
->Long-term Servicing channel is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel.
-
-Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
-
->[!NOTE]
->Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
-
-The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading.
-
->[!NOTE]
->If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel.
-
-### Windows Insider
-
-For many IT pros, gaining visibility into feature updates early—before they’re available to the Semi-Annual Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next Semi-Annual Channel release. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
-
-Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](waas-windows-insider-for-business.md).
-
->[!NOTE]
->Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app.
->
->The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
-
-
-
-## Servicing tools
-
-There are many tools with which IT pros can service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:
-
-- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client.
-- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes control over update deferment and provides centralized management using Group Policy. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the Semi-Annual Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
-- **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
-- **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
-
-With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses System Center Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1.
-
-**Table 1**
-
-| Servicing tool | Can updates be deferred? | Ability to approve updates | Peer-to-peer option | Additional features |
-| --- | --- | --- | --- | --- |
-| Windows Update | Yes (manual) | No | Delivery Optimization | None|
-| Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects |
-| WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability |
-| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options |
-
->[!NOTE]
->Due to [naming changes](#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
-
-
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | Learn about updates and servicing channels (this topic) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
-
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Quick guide to Windows as a service](waas-quick-start.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
-
+---
+title: Overview of Windows as a service (Windows 10)
+description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Overview of Windows as a service
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 IoT Mobile
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+
+## Building
+
+Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two times per year, around March and September, to help address these issues.
+
+In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
+
+Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider).
+
+Of course Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
+
+## Deploying
+
+Deploying Windows 10 is simpler than with previous versions of Windows. When migrating from earlier versions of Windows, an easy in-place upgrade process can be used to automatically preserve all apps, settings, and data. And once running Windows 10, deployment of Windows 10 feature updates will be equally simple.
+
+One of the biggest challenges for organizations when it comes to deploying a new version of Windows is compatibility testing. Whereas compatibility was previously a concern for organizations upgrading to a new version of Windows, Windows 10 is compatible with most hardware and software capable of running on Windows 7 or later. Because of this high level of compatibility, the app compatibility testing process can be greatly simplified.
+
+### Application compatibility
+
+Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. With Windows 10, application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously. Microsoft understands the challenges organizations experienced when they migrated from the Windows XP operating system to Windows 7 and has been working to make Windows 10 upgrades a much better experience.
+
+Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
+
+For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. If it’s unclear whether an application is compatible with Windows 10, IT pros can either consult with the ISV or check the supported software directory at [http://www.readyforwindows.com](http://www.readyforwindows.com).
+
+### Device compatibility
+
+Device compatibility in Windows 10 is also very strong; new hardware is not needed for Windows 10 as any device capable of running Windows 7 or later can run Windows 10. In fact, the minimum hardware requirements to run Windows 10 are the same as those required for Windows 7. Most hardware drivers that functioned in Windows 8.1, Windows 8, or Windows 7 will continue to function in Windows 10.
+
+## Servicing
+
+Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality twice per year, and quality updates that provide security and reliability fixes at least once a month.
+
+With Windows 10, organizations will need to change the way they approach deploying updates. Servicing channels are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing channels comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing channel to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing channels and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
+
+For information about each servicing tool available for Windows 10, see [Servicing tools](#servicing-tools).
+
+To align with this new update delivery model, Windows 10 has three servicing channels, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing channels available in Windows 10, see [Servicing channels](#servicing-channels).
+
+### Naming changes
+
+There are currently two release channels for Windows 10:
+
+- The **Semi-Annual Channel** receives feature updates twice per year.
+- The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
+
+>[!IMPORTANT]
+>With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. The "Semi-Annual Channel (Targeted)" designation is no longer used. For more information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747).
+
+> [!NOTE]
+>For additional information, see the section about [Servicing Channels](#servicing-channels).
+>
+>You can also read the blog post [Waas simplified and aligned](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change.
+
+>[!IMPORTANT]
+>Devices on the Semi-Annual Channel must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
+
+### Feature updates
+
+With Windows 10, Microsoft will package new features into feature updates that can be deployed using existing management tools. Because feature updates are delivered more frequently than with previous Windows releases — twice per year, around March and September, rather than every 3–5 years — changes will be in bite-sized chunks rather than all at once and end user readiness time much shorter.
+
+
+### Quality updates
+
+Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
+
+In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment devicess contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
+
+**Figure 1**
+
+
+
+
+
+## Servicing channels
+
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity.
+
+With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+
+The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
+
+> [!NOTE]
+> Servicing channels are not the only way to separate groups of devices when consuming updates. Each channel can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing channels, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
+
+### Semi-Annual Channel
+
+In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Starting with Windows 10, version 1607, more servicing tools that can delay feature updates for up to 365 days are available. This servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
+
+When Microsoft officially releases a feature update for Windows 10, it is made available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
+
+
+Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases. All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release.
+
+> [!NOTE]
+> All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607 and later. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18-month lifecycle.
+>
+>
+> [!NOTE]
+> Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
+
+### Long-term Servicing Channel
+
+Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
+
+> [!NOTE]
+> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
+>
+>Long-term Servicing channel is not intended for deployment on most or all the devicess in an organization; it should be used only for special-purpose devices. As a general guideline, a device with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel.
+
+Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
+
+> [!NOTE]
+> Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
+
+The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading.
+
+> [!NOTE]
+> If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel.
+
+### Windows Insider
+
+For many IT pros, gaining visibility into feature updates early—before they’re available to the Semi-Annual Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next Semi-Annual Channel release. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
+
+Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](waas-windows-insider-for-business.md).
+
+>[!NOTE]
+>Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app.
+>
+> The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
+
+
+
+## Servicing tools
+
+There are many tools with which IT pros can service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:
+
+- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 device.
+- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes control over update deferment and provides centralized management using Group Policy. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the Semi-Annual Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
+- **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
+- **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
+
+With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses System Center Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1.
+
+**Table 1**
+
+| Servicing tool | Can updates be deferred? | Ability to approve updates | Peer-to-peer option | Additional features |
+| --- | --- | --- | --- | --- |
+| Windows Update | Yes (manual) | No | Delivery Optimization | None|
+| Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects |
+| WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability |
+| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options |
+
+>[!NOTE]
+>Due to [naming changes](#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+
+
+
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | Learn about updates and servicing channels (this topic) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Quick guide to Windows as a service](waas-quick-start.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Manage device restarts after updates](waas-restart.md)
+
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 8a2e544771..56b4cc46a7 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -1,95 +1,88 @@
----
-title: Quick guide to Windows as a service (Windows 10)
-description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 10/17/2018
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Quick guide to Windows as a service
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-- Windows 10 IoT Mobile
-
-Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts.
-
-## Definitions
-
-Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
-- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
-- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month ("Patch Tuesday"), though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
-- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
-- **Servicing channels** allow organizations to choose when to deploy new features.
- - The **Semi-Annual Channel** receives feature updates twice per year.
- - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
-- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
-
-See [Overview of Windows as a service](waas-overview.md) for more information.
-
-For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md).
-
-## Key Concepts
-
-Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
-
-Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release.
-
-Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
-
-See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information.
-
-## Staying up to date
-
-The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
-
-Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
-
-This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
-
-Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.
-
-See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) and [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) for more information.
-
-## Video: An overview of Windows as a service
-
-Click the following Microsoft Mechanics video for an overview of the updated release model, particularly the Semi-Annual Channel.
-
-
-[](https://youtu.be/qSAsiM01GOU)
-
-## Learn more
-
-- [Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft)
-- [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet)
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
-
-
-
-
-
-
-
-
+---
+title: Quick guide to Windows as a service (Windows 10)
+description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Quick guide to Windows as a service
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 IoT Mobile
+
+Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts.
+
+## Definitions
+
+Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
+- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
+- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month ("Patch Tuesday"), though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
+- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
+- **Servicing channels** allow organizations to choose when to deploy new features.
+ - The **Semi-Annual Channel** receives feature updates twice per year.
+ - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
+- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
+
+See [Overview of Windows as a service](waas-overview.md) for more information.
+
+For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md).
+
+## Key Concepts
+
+Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
+
+Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release.
+
+Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
+
+See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information.
+
+## Staying up to date
+
+The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
+
+Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
+
+This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
+
+Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.
+
+See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) and [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) for more information.
+
+
+
+## Learn more
+
+- [Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft)
+- [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet)
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Manage device restarts after updates](waas-restart.md)
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index bf291e370f..bab9a9e136 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -1,208 +1,208 @@
----
-title: Manage device restarts after updates (Windows 10)
-description: tbd
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 07/27/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Manage device restarts after updates
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
-
-## Schedule update installation
-
-In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
-
-To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
-
-**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
-
-While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
-
-For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
-
-## Delay automatic reboot
-
-When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation:
-
-- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
-- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
-
-> [!NOTE]
-> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted.
-
-You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
-
-For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
-
-## Configure active hours
-
-*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
-
-By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
-
-Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time.
-
-Administrators can use multiple ways to set active hours for managed devices:
-
-- You can use Group Policy, as described in the procedure that follows.
-- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
-- While not recommended, you can also configure active hours, as described in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
-
-### Configuring active hours with Group Policy
-
-To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
-
-
-
-### Configuring active hours with MDM
-
-MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
-
-### Configuring active hours through Registry
-
-This method is not recommended, and should only be used when neither Group Policy or MDM are available.
-Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
-
-You should set a combination of the following registry values, in order to configure active hours.
-Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours.
-
-For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
-
->[!NOTE]
->To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
->
->
-
-### Configuring active hours max range
-
-With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time.
-
-To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**.
-
-To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-activehoursmaxrange).
-
-## Limit restart delays
-
-After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
-
-## Control restart notifications
-
-In Windows 10, version 1703, we have added settings to control restart notifications for users.
-
-### Auto-restart notifications
-
-Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically.
-
-To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
-
-To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartRequiredNotificationDismissal)
-
-You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes.
-
-To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
-
-To change it through MDM, use [**Update/AutoRestartNotificationSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartNotificationSchedule).
-
-
-In some cases, you don't need a notification to show up.
-
-To do so through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Turn off auto-restart notifications for update installations**.
-
-To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-setautorestartnotificationdisable).
-
-### Scheduled auto-restart warnings
-
-Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
-
-To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**.
-
-In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleImminentRestartWarning).
-
-### Engaged restart
-
-Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (7 days by default), Windows transitions to user scheduled restarts.
-
-The following settings can be adjusted for engaged restart:
-* Period of time before auto-restart transitions to engaged restart.
-* The number of days that users can snooze engaged restart reminder notifications.
-* The number of days before a pending restart automatically executes outside of working hours.
-
-In Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and pick **Specify Engaged restart transition and notification schedule for updates**.
-
-In MDM, use [**Update/EngagedRestartTransitionSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartTransitionSchedule), [**Update/EngagedRestartSnoozeSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartSnoozeSchedule) and [**Update/EngagedRestartDeadline**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartDeadline) respectively.
-
-## Group Policy settings for restart
-
-In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
-
-| Policy | Applies to Windows 10 | Notes |
-| --- | --- | --- |
-| Turn off auto-restart for updates during active hours |  | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
-| Always automatically restart at the scheduled time |  | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
-| Specify deadline before auto-restart for update installation |  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
-| No auto-restart with logged on users for scheduled automatic updates installations |  | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. There is no equivalent MDM policy setting for Windows 10 Mobile. |
-| Re-prompt for restart with scheduled installations |  | |
-| Delay Restart for scheduled installations |  | |
-| Reschedule Automatic Updates scheduled installations |  | |
-
->[!NOTE]
->You can only choose one path for restart behavior.
->If you set conflicting restart policies, the actual restart behavior may not be what you expected.
->When using RDP, only active RDP sessions are considered as logged on users.
-
-
-## Registry keys used to manage restart
-The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
-
-**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
-
-| Registry key | Key type | Value |
-| --- | --- | --- |
-| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
-| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
-| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours1: enable automatic restart after updates outside of active hours |
-
-**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
-
-| Registry key | Key type | Value |
-| --- | --- | --- |
-| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time1: enable automatic reboot after update installation at ascheduled time |
-| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
-| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates3: automatically download and notify for installation of updates4: Automatically download and schedule installation of updates5: allow the local admin to configure these settings**Note:** To configure restart behavior, set this value to **4** |
-| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on1: do not reboot after an update installation if a user is logged on**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
-| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
-
-There are 3 different registry combinations for controlling restart behavior:
-
-- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
-- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
-- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+---
+title: Manage device restarts after updates (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.author: greg-lindsay
+ms.date: 07/27/2017
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Manage device restarts after updates
+
+
+**Applies to**
+
+- Windows 10
+
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
+
+## Schedule update installation
+
+In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
+
+To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
+
+**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
+
+While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
+
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+
+## Delay automatic reboot
+
+When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation:
+
+- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
+- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
+
+> [!NOTE]
+> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted.
+
+You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
+
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+
+## Configure active hours
+
+*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
+
+By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
+
+Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time.
+
+Administrators can use multiple ways to set active hours for managed devices:
+
+- You can use Group Policy, as described in the procedure that follows.
+- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
+- While not recommended, you can also configure active hours, as described in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
+
+### Configuring active hours with Group Policy
+
+To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
+
+
+
+### Configuring active hours with MDM
+
+MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
+
+### Configuring active hours through Registry
+
+This method is not recommended, and should only be used when neither Group Policy or MDM are available.
+Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
+
+You should set a combination of the following registry values, in order to configure active hours.
+Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours.
+
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+
+>[!NOTE]
+>To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
+>
+>
+
+### Configuring active hours max range
+
+With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time.
+
+To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**.
+
+To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-activehoursmaxrange).
+
+## Limit restart delays
+
+After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
+
+## Control restart notifications
+
+In Windows 10, version 1703, we have added settings to control restart notifications for users.
+
+### Auto-restart notifications
+
+Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically.
+
+To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
+
+To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartRequiredNotificationDismissal)
+
+You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes.
+
+To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
+
+To change it through MDM, use [**Update/AutoRestartNotificationSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartNotificationSchedule).
+
+
+In some cases, you don't need a notification to show up.
+
+To do so through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Turn off auto-restart notifications for update installations**.
+
+To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-setautorestartnotificationdisable).
+
+### Scheduled auto-restart warnings
+
+Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
+
+To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**.
+
+In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleImminentRestartWarning).
+
+### Engaged restart
+
+Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (7 days by default), Windows transitions to user scheduled restarts.
+
+The following settings can be adjusted for engaged restart:
+* Period of time before auto-restart transitions to engaged restart.
+* The number of days that users can snooze engaged restart reminder notifications.
+* The number of days before a pending restart automatically executes outside of working hours.
+
+In Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and pick **Specify Engaged restart transition and notification schedule for updates**.
+
+In MDM, use [**Update/EngagedRestartTransitionSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartTransitionSchedule), [**Update/EngagedRestartSnoozeSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartSnoozeSchedule) and [**Update/EngagedRestartDeadline**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartDeadline) respectively.
+
+## Group Policy settings for restart
+
+In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
+
+| Policy | Applies to Windows 10 | Notes |
+| --- | --- | --- |
+| Turn off auto-restart for updates during active hours |  | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
+| Always automatically restart at the scheduled time |  | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
+| Specify deadline before auto-restart for update installation |  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
+| No auto-restart with logged on users for scheduled automatic updates installations |  | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. There is no equivalent MDM policy setting for Windows 10 Mobile. |
+| Re-prompt for restart with scheduled installations |  | |
+| Delay Restart for scheduled installations |  | |
+| Reschedule Automatic Updates scheduled installations |  | |
+
+>[!NOTE]
+>You can only choose one path for restart behavior.
+>If you set conflicting restart policies, the actual restart behavior may not be what you expected.
+>When using RDP, only active RDP sessions are considered as logged on users.
+
+
+## Registry keys used to manage restart
+The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
+
+**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
+
+| Registry key | Key type | Value |
+| --- | --- | --- |
+| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
+| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
+| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours1: enable automatic restart after updates outside of active hours |
+
+**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
+
+| Registry key | Key type | Value |
+| --- | --- | --- |
+| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time1: enable automatic reboot after update installation at ascheduled time |
+| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
+| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates3: automatically download and notify for installation of updates4: Automatically download and schedule installation of updates5: allow the local admin to configure these settings**Note:** To configure restart behavior, set this value to **4** |
+| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on1: do not reboot after an update installation if a user is logged on**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
+| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
+
+There are 3 different registry combinations for controlling restart behavior:
+
+- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
+- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
+- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index d58eb30284..2375cfd6b8 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,228 +1,193 @@
----
-title: Assign devices to servicing channels for Windows 10 updates (Windows 10)
-description: tbd
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 10/13/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Assign devices to servicing channels for Windows 10 updates
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
->[!TIP]
->If you're not familiar with the Windows 10 servicing or release channels, read [Servicing Channels](waas-overview.md#servicing-channels) first.
->
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products.
-
-Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition.
-
-| Windows 10 edition | Semi-Annual Channel (Targeted) | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
-| --- | --- | --- | --- | --- |
-| Home |  |  |  |  |
-| Pro |  |  |  |  |
-| Enterprise |  |  |  |  |
-| Enterprise LTSB |  |  |  |  |
-| Pro Education |  |  |  |  |
-| Education |  |  |  |  |
-| Mobile |  |  |  |  |
-| Mobile Enterprise |  |  |  |  |
-
-
-
->[!NOTE]
->The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-
->[!NOTE]
->Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel.
-
-## Assign devices to Semi-Annual Channel
-
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-
-**To assign a single PC locally to CBB**
-
-1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**.
-2. Select **Defer feature updates**.
-
-**To assign PCs to CBB using Group Policy**
-
-- In Windows 10, version 1511:
-
- Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates**
-
-- In Windows 10, version 1607:
-
- Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to CBB
-
-**To assign PCs to CBB using MDM**
-
-- In Windows 10, version 1511:
-
- ../Vendor/MSFT/Policy/Config/Update/**RequireDeferUpgrade**
-
-- In Windows 10, version 1607:
-
- ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel**
-
-**To assign Windows 10 Mobile Enterprise to CBB using MDM**
-
-- In Windows 10 Mobile Enterprise, version 1511:
-
- ../Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade
-
-- In Windows 10 Mobile Enterprise, version 1607:
-
- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
-
-## Enroll devices in the Windows Insider Program
-
-To get started with the Windows Insider Program for Business, you will need to follow a few simple steps:
-
-1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/).
-2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
-3. Make sure the **Allow Telemetry** setting is set to **2** or higher.
-4. Starting with Windows 10, version 1709, set policies to manage preview builds and their delivery:
-
-The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
-* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
-* MDM: **Update/ManagePreviewBuilds**
-
-The **Branch Readiness Level** settings allows you to choose between preview flight rings, and allows you to defer or pause the delivery of updates.
-* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
-* MDM: **Update/BranchReadinessLevel**
-
-For more information, see [Windows Insider Program for Business](waas-windows-insider-for-business.md)
-
-## Block access to Windows Insider Program
-
-To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10:
-
-- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
-- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
-
->[!IMPORTANT]
->Starting with Windows 10, version 1709, this policy is replaced by **Manage preview builds** policy.
-> * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
-> * MDM: **Update/ManagePreviewBuilds**
-
-
-## Switching channels
-
-During the life of a device, it may be necessary or desirable to switch between the available channels. Depending on the channel you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
-
-
-
-
-
-
-
-
-
-
From this channel
-
To this channel
-
You need to
-
-
-
-
-
Windows Insider Program
-
Semi-Annual Channel (Targeted)
-
Wait for the final Semi-Annual Channel release.
-
-
-
Semi-Annual Channel
-
Not directly possible, because Windows Insider Program devices are automatically upgraded to the Semi-Annual Channel (Targeted) release at the end of the development cycle.
-
-
-
Long-Term Servicing Channel
-
Not directly possible (requires wipe-and-load).
-
-
-
Semi-Annual Channel (Targeted)
-
Insider
-
Use the Settings app to enroll the device in the Windows Insider Program.
-
-
-
Semi-Annual Channel
-
Select the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Semi-Annual Channel release.
-
-
-
Long-Term Servicing Channel
-
Not directly possible (requires wipe-and-load).
-
-
-
Semi-Annual Channel
-
Insider
-
Use the Settings app to enroll the device in the Windows Insider Program.
-
-
-
Semi-Annual Channel (Targeted)
-
Disable the Defer upgrade setting, or move the device to a target group or flight that will receive the latest Current Semi-Annual Channel release.
-
-
-
Long-Term Servicing Channel
-
Not directly possible (requires wipe-and-load).
-
-
-
Long-Term Servicing Channel
-
Insider
-
Use media to upgrade to the latest Windows Insider Program build.
-
-
-
Semi-Annual Channel (Targeted)
-
Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.
-
-
-
Semi-Annual Channel
-
Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.
-
-
-
-
-## Block user access to Windows Update settings
-
-In Windows 10, administrators can control user access to Windows Update.
-By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
-
->[!NOTE]
-> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | Assign devices to servicing channels for Windows 10 updates (this topic) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
+---
+title: Assign devices to servicing channels for Windows 10 updates (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Assign devices to servicing channels for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!TIP]
+>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing Channels](waas-overview.md#servicing-channels) first.
+>
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+
+The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition.
+
+| Windows 10 edition | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
+| --- | --- | --- | --- |
+| Home |  |  |  |
+| Pro |  |  |  |
+| Enterprise |  |  |  |
+| Enterprise LTSB |  |  |  |
+| Pro Education |  |  |  |
+| Education |  |  |  |
+| Mobile |  |  |  |
+| Mobile Enterprise |  |  |  |
+
+
+
+>[!NOTE]
+>The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+
+
+
+## Assign devices to Semi-Annual Channel
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+
+**To assign a single devices locally to the Semi-Annual Channel**
+
+1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**.
+2. Select **Defer feature updates**.
+
+**To assign devicess to the Semi-Annual Channel by using Group Policy**
+
+
+- In Windows 10, version 1607 and later releases:
+
+ Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to the Semi-Annual Channel
+
+**To assign devicess to to the Semi-Annual Channel by using MDM**
+
+
+- In Windows 10, version 1607 and later releases:
+
+ ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel**
+
+**To assign Windows 10 Mobile Enterprise devices to the Semi-Annual Channel by using MDM**
+
+
+- In Windows 10 Mobile Enterprise, version 1607 and later releases:
+
+ ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
+
+## Enroll devices in the Windows Insider Program
+
+To get started with the Windows Insider Program for Business, you will need to follow a few simple steps:
+
+1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/).
+2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
+3. Make sure the **Allow Telemetry** setting is set to **2** or higher.
+4. Starting with Windows 10, version 1709, set policies to manage preview builds and their delivery:
+
+The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
+* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
+* MDM: **Update/ManagePreviewBuilds**
+
+The **Branch Readiness Level** settings allows you to choose between preview flight rings, and allows you to defer or pause the delivery of updates.
+* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
+* MDM: **Update/BranchReadinessLevel**
+
+For more information, see [Windows Insider Program for Business](waas-windows-insider-for-business.md)
+
+## Block access to Windows Insider Program
+
+To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10:
+
+- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
+- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
+
+>[!IMPORTANT]
+>Starting with Windows 10, version 1709, this policy is replaced by **Manage preview builds** policy.
+> * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
+> * MDM: **Update/ManagePreviewBuilds**
+
+
+## Switching channels
+
+During the life of a device, it might be necessary or desirable to switch between the available channels. Depending on the channel you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
+
+
+
+
+
+
+
+
+
+
From this channel
+
To this channel
+
You need to
+
+
+
+
+
Windows Insider Program
+
+
+
Semi-Annual Channel
+
Not directly possible
+
+
+
Long-Term Servicing Channel
+
Not directly possible (requires wipe-and-load).
+
+
+
Semi-Annual Channel
+
Insider
+
Use the Settings app to enroll the device in the Windows Insider Program.
+
+
+
+
+
Long-Term Servicing Channel
+
Not directly possible (requires wipe-and-load).
+
+
+
Long-Term Servicing Channel
+
Insider
+
Use media to upgrade to the latest Windows Insider Program build.
+
+
Semi-Annual Channel
+
Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.
+
+
+
+
+## Block user access to Windows Update settings
+
+In Windows 10, administrators can control user access to Windows Update.
+By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
+
+>[!NOTE]
+> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
+
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | Assign devices to servicing channels for Windows 10 updates (this topic) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
index 4e7773bbf9..fda8dac6f6 100644
--- a/windows/deployment/update/waas-servicing-differences.md
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -1,119 +1,121 @@
----
-title: Servicing differences between Windows 10 and older operating systems
-ms.reviewer:
-manager: laurawi
-description: Learn the differences between servicing Windows 10 and servicing older operating systems.
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.topic: article
-ms.collection: M365-modern-desktop
----
-# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems
-
-> Applies to: Windows 10
->
-> **February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.**
-
-Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates.
-
-The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2).
-
->[!NOTE]
->A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc.
-
-## Infinite fragmentation
-Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates.
-
-As a result, each environment within the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft.
-
-This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
-
-## Windows 10 – Next generation
-Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs allow the same update to be installed on the same client and server OS family, further reducing fragmentation.
-
-This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU.
-
-Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
-
-
-
-*Figure 1.0 - High level cumulative update model*
-
-Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each.
-
-This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10.
-
-### Points to consider
-
-- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new.
-- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.)
-- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model.
-- For Windows 10, available update types vary by publishing channel:
- - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates.
- - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS. Servicing Stack Updates (SSU) will be synced automatically (See this example for Windows 10, version 1709). Learn more about [Servicing Stack Updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates).
- - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date.
-- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section).
-
-## Windows 7 and legacy OS versions
-While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in a fragmented environment, we moved Windows 7 to a cumulative update model in October 2016.
-
-Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered one cumulative package (Monthly Rollup) and one individual package (Security Only) for all legacy operating systems.
-
-The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month’s Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
-
-
-*Figure 2.0 - Legacy OS security-only update model*
-
-Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft’s test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
-
-### Points to consider
-- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages.
-- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.)
-- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security required" updates, because both have the full set of security updates in them. The Monthly Rollup may have additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed.
-- Given the differences between the cumulative Monthly Rollups and the single-month Security-only update packages, switching between these update types is not advised. Differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type with high consistency – Monthly Rollup or Security-only – is recommended.
-- With all Legacy OS versions now in the Extended Support stage of their 10-year lifecycle, they typically receive only security updates for both Monthly Rollup and Security Only updates. Using Express for the Monthly Rollup results in almost the same package size as Security Only, with the added confidence of ensuring all relevant updates are installed.
-- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback.
-- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup.
-- [Updates for .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated.
-- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version.
-
-## Public preview releases
-Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
-
-### Examples
-Windows 10 version 1709:
-- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot.
-- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required.
-- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot.
-All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models.
-
-
-*Figure 3.0 - Preview releases within the Windows 10 LCU model*
-
-## Previews vs. on-demand releases
-In 2018, we experienced incidents which required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
-
-As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month’s Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.)
-
-### Point to consider
-- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot.
-- Rarely do incidents with Update Tuesday releases impact more than .1% of the total population. With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however.
-- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices.
-- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way.
-
-In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure.
-
-## Resources
-- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530)
-- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772)
-- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783)
-- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/)
-- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798)
-- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/)
-- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376)
-- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434)
+---
+title: Servicing differences between Windows 10 and older operating systems
+ms.reviewer:
+manager: laurawi
+description: Learn the differences between servicing Windows 10 and servicing older operating systems.
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.audience: itpro
+author: greg-lindsay
+ms.topic: article
+ms.collection: M365-modern-desktop
+---
+# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems
+
+> Applies to: Windows 10
+>
+> **February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.**
+
+Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need to understand how best to leverage a modern workplace to support system updates.
+
+The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2).
+
+>[!NOTE]
+>A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc.
+
+## Infinite fragmentation
+Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates.
+
+As a result, each environment within the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft.
+
+This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
+
+## Windows 10 – Next generation
+Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs allow the same update to be installed on the same client and server OS family, further reducing fragmentation.
+
+This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU.
+
+Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
+
+
+
+*Figure 1.0 - High level cumulative update model*
+
+Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each.
+
+This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10.
+
+### Points to consider
+
+- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new.
+- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.)
+- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model.
+- For Windows 10, available update types vary by publishing channel:
+ - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates.
+ - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS. Servicing Stack Updates (SSU) will be synced automatically (See this example for Windows 10, version 1709). Learn more about [Servicing Stack Updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates).
+ - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date.
+- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section).
+
+## Windows 7 and legacy OS versions
+While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in a fragmented environment, we moved Windows 7 to a cumulative update model in October 2016.
+
+Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered one cumulative package (Monthly Rollup) and one individual package (Security Only) for all legacy operating systems.
+
+The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month’s Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
+
+
+*Figure 2.0 - Legacy OS security-only update model*
+
+Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft’s test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
+
+### Points to consider
+- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages.
+- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.)
+- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security required" updates, because both have the full set of security updates in them. The Monthly Rollup may have additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed.
+- Given the differences between the cumulative Monthly Rollups and the single-month Security-only update packages, switching between these update types is not advised. Differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type with high consistency – Monthly Rollup or Security-only – is recommended.
+- With all Legacy OS versions now in the Extended Support stage of their 10-year lifecycle, they typically receive only security updates for both Monthly Rollup and Security Only updates. Using Express for the Monthly Rollup results in almost the same package size as Security Only, with the added confidence of ensuring all relevant updates are installed.
+- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback.
+- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup.
+- [Updates for .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated.
+- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version.
+
+## Public preview releases
+Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
+
+### Examples
+Windows 10 version 1709:
+- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot.
+- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required.
+- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot.
+All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models.
+
+
+*Figure 3.0 - Preview releases within the Windows 10 LCU model*
+
+## Previews vs. on-demand releases
+In 2018, we experienced incidents which required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
+
+As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month’s Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.)
+
+### Point to consider
+- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot.
+- Rarely do incidents with Update Tuesday releases impact more than .1% of the total population. With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however.
+- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices.
+- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way.
+
+In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure.
+
+## Resources
+- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530)
+- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772)
+- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783)
+- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/)
+- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798)
+- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/)
+- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376)
+- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434)
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index 2162d1aafa..32e06ed8f5 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -1,74 +1,73 @@
----
-title: Prepare servicing strategy for Windows 10 updates (Windows 10)
-description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 11/02/2018
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Prepare servicing strategy for Windows 10 updates
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years.
-
-
-
-
-Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
-
-- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
-- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
-- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
-- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
-- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
-- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
-
->[!NOTE]
->This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
->
->>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
-
-Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
-
-1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
-2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
-3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department.
-
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | Prepare servicing strategy for Windows 10 updates (this topic) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
+---
+title: Prepare servicing strategy for Windows 10 updates (Windows 10)
+description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Prepare servicing strategy for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years.
+
+
+
+
+Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
+
+- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
+- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
+- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
+- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
+- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
+- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
+
+>[!NOTE]
+>This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
+>
+>>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
+
+Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
+
+1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
+2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
+3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department.
+
+
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
+|  | Prepare servicing strategy for Windows 10 updates (this topic) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index d38b3d01e4..2b84969903 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -1,262 +1,263 @@
----
-title: Manage additional Windows Update settings (Windows 10)
-description: Additional settings to control the behavior of Windows Update (WU) in Windows 10
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 07/27/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Manage additional Windows Update settings
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.
-
->[!IMPORTANT]
->In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
-
-## Summary of Windows Update settings
-
-| Group Policy setting | MDM setting | Supported from version |
-| --- | --- | --- |
-| [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All |
-| [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 |
-| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | | All |
-| [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) | | All |
-| [Enable client-side targeting](#enable-client-side-targeting) | | All |
-| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
-| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
-| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
-
->[!IMPORTANT]
->Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
->
->Additional settings that configure when Feature and Quality updates are received are detailed on **[Configure Windows Update for Business](waas-configure-wufb.md)**.
-
-## Scanning for updates
-
-With Windows 10, admins have a lot of flexibility in configuring how their devices scan and receive updates.
-
-[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them to option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates.
-
-You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
-
-Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users.
-
-For additional settings that configure when Feature and Quality updates are received, see [Configure Windows Update for Business](waas-configure-wufb.md).
-
-### Specify Intranet Microsoft update service location
-
-Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-
-To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
-
-If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don’t have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
-If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
-
-The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
-The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server.
-
->[!NOTE]
->If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
->
->If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates.
->
->The option to "Download files with no Url..." is only used if the "Alternate Download Server" is set.
-
-To configure this policy with MDM, use [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate).
-
-### Automatic Updates detection frequency
-
-Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 to 20 hours.
-
-To set this setting with Group Policy, navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Automatic Updates detection frequency**.
-
-If the setting is set to **Enabled**, Windows will check for available updates at the specified interval.
-If the setting is set to **Disabled** or **Not Configured**, Windows will check for available updates at the default interval of 22 hours.
-
->[!NOTE]
->The “Specify intranet Microsoft update service location” setting must be enabled for this policy to have effect.
->
->If the “Configure Automatic Updates” policy is disabled, this policy has no effect.
-
-To configure this policy with MDM, use [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency).
-
-### Remove access to use all Windows Update features
-
-By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
-
-### Do not connect to any Windows Update Internet locations
-
-Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store.
-
-Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working.
-
->[!NOTE]
->This policy applies only when the device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
-
-### Enable client-side targeting
-
-Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or SCCM.
-
-This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**.
-If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
-If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service.
-
-If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
-
->[!NOTE]
->This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the “Specify intranet Microsoft update service location” policy is disabled or not configured, this policy has no effect.
-
-### Allow signed updates from an intranet Microsoft update service location
-
-This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
-
-To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**.
-
-If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the “Trusted Publishers” certificate store of the local computer.
-If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
-
->[!NOTE]
->Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting.
-
-To configure this policy with MDM, use [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate).
-
-
-## Installing updates
-
-To add more flexibility to the update process, settings are available to control update installation.
-
-[Configure Automatic Updates](#configure-automatic-updates) offers 4 different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates.
-
-### Do not include drivers with Windows Updates
-
-Allows admins to exclude Windows Update (WU) drivers during updates.
-
-To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**.
-Enable this policy to not include drivers with Windows quality updates.
-If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification.
-
-### Configure Automatic Updates
-
-Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
-
-#### Configuring Automatic Updates by using Group Policy
-
-Under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the four options:
-
-**2 - Notify for download and auto install** - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates.
-
-**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to **Settings > Update & security > Windows Update**, users can install them.
-
-**4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation).
-
-**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates.
-
-If this setting is set to *Disabled*, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**.
-
-If this setting is set to *Not Configured*, an administrator can still configure Automatic Updates through the settings app, under **Settings > Update & security > Windows Update > Advanced options**.
-
-#### Configuring Automatic Updates by editing the registry
-
-> [!NOTE]
-> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be resolved. Modify the registry at your own risk.
-
-In an environment that does not have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update.
-
-To do this, follow these steps:
-
-1. Select **Start**, search for "regedit", and then open Registry Editor.
-
-2. Open the following registry key:
-
- ```
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
- ```
-
-3. Add one of the following registry values to configure Automatic Update.
-
- * NoAutoUpdate (REG_DWORD):
-
- * **0**: Automatic Updates is enabled (default).
-
- * **1**: Automatic Updates is disabled.
-
- * AUOptions (REG_DWORD):
-
- * **1**: Keep my computer up to date is disabled in Automatic Updates.
-
- * **2**: Notify of download and installation.
-
- * **3**: Automatically download and notify of installation.
-
- * **4**: Automatically download and scheduled installation.
-
- * ScheduledInstallDay (REG_DWORD):
-
- * **0**: Every day.
-
- * **1** through **7**: The days of the week from Sunday (1) to Saturday (7).
-
- * ScheduledInstallTime (REG_DWORD):
-
- **n**, where **n** equals the time of day in a 24-hour format (0-23).
-
- * UseWUServer (REG_DWORD)
-
- Set this value to **1** to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
-
- * RescheduleWaitTime (REG_DWORD)
-
- **m**, where **m** equals the time period to wait between the time Automatic Updates starts and the time that it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
-
- > [!NOTE]
- > This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
-
- * NoAutoRebootWithLoggedOnUsers (REG_DWORD):
-
- **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on.
-
- > [!NOTE]
- > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
-
-To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance.
-
-When you configure Automatic Updates directly by using the policy registry keys, the policy overrides the preferences that are set by the local administrative user to configure the client. If an administrator removes the registry keys at a later date, the preferences that were set by the local administrative user are used again.
-
-To determine the WSUS server that the client computers and servers connect to for updates, add the following registry values to the registry:
-```
-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
-```
-
-* WUServer (REG_SZ)
-
- This value sets the WSUS server by HTTP name (for example, http://IntranetSUS).
-
-* WUStatusServer (REG_SZ)
-
- This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Manage device restarts after updates](waas-restart.md)
+---
+title: Manage additional Windows Update settings (Windows 10)
+description: Additional settings to control the behavior of Windows Update (WU) in Windows 10
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: jaimeo
+ms.localizationpriority: medium
+ms.audience: itpro
+author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Manage additional Windows Update settings
+
+
+**Applies to**
+
+- Windows 10
+
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.
+
+>[!IMPORTANT]
+>In Windows 10, any Group Policy user configuration settings for Windows Update are no longer supported on this platform.
+
+## Summary of Windows Update settings
+
+| Group Policy setting | MDM setting | Supported from version |
+| --- | --- | --- |
+| [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All |
+| [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 |
+| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | | All |
+| [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) | | All |
+| [Enable client-side targeting](#enable-client-side-targeting) | | All |
+| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
+| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
+| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
+
+>[!IMPORTANT]
+>Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
+>
+>Additional settings that configure when Feature and Quality updates are received are detailed on **[Configure Windows Update for Business](waas-configure-wufb.md)**.
+
+## Scanning for updates
+
+With Windows 10, admins have a lot of flexibility in configuring how their devices scan and receive updates.
+
+[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them to option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates.
+
+You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
+
+Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users.
+
+For additional settings that configure when Feature and Quality updates are received, see [Configure Windows Update for Business](waas-configure-wufb.md).
+
+### Specify Intranet Microsoft update service location
+
+Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+
+To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
+
+If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don’t have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
+If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+
+The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
+The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server.
+
+>[!NOTE]
+>If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
+>
+>If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates.
+>
+>The option to "Download files with no Url..." is only used if the "Alternate Download Server" is set.
+
+To configure this policy with MDM, use [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate).
+
+### Automatic Updates detection frequency
+
+Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 to 20 hours.
+
+To set this setting with Group Policy, navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Automatic Updates detection frequency**.
+
+If the setting is set to **Enabled**, Windows will check for available updates at the specified interval.
+If the setting is set to **Disabled** or **Not Configured**, Windows will check for available updates at the default interval of 22 hours.
+
+>[!NOTE]
+>The “Specify intranet Microsoft update service location” setting must be enabled for this policy to have effect.
+>
+>If the “Configure Automatic Updates” policy is disabled, this policy has no effect.
+
+To configure this policy with MDM, use [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency).
+
+### Remove access to use all Windows Update features
+
+By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
+
+### Do not connect to any Windows Update Internet locations
+
+Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store.
+
+Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working.
+
+>[!NOTE]
+>This policy applies only when the device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+
+### Enable client-side targeting
+
+Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or SCCM.
+
+This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**.
+If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
+If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service.
+
+If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
+
+>[!NOTE]
+>This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the “Specify intranet Microsoft update service location” policy is disabled or not configured, this policy has no effect.
+
+### Allow signed updates from an intranet Microsoft update service location
+
+This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+
+To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**.
+
+If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the “Trusted Publishers” certificate store of the local computer.
+If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
+
+>[!NOTE]
+>Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting.
+
+To configure this policy with MDM, use [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate).
+
+
+## Installing updates
+
+To add more flexibility to the update process, settings are available to control update installation.
+
+[Configure Automatic Updates](#configure-automatic-updates) offers 4 different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates.
+
+### Do not include drivers with Windows Updates
+
+Allows admins to exclude Windows Update (WU) drivers during updates.
+
+To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**.
+Enable this policy to not include drivers with Windows quality updates.
+If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification.
+
+### Configure Automatic Updates
+
+Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
+
+#### Configuring Automatic Updates by using Group Policy
+
+Under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the four options:
+
+**2 - Notify for download and auto install** - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates.
+
+**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to **Settings > Update & security > Windows Update**, users can install them.
+
+**4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation).
+
+**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates.
+
+If this setting is set to *Disabled*, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**.
+
+If this setting is set to *Not Configured*, an administrator can still configure Automatic Updates through the settings app, under **Settings > Update & security > Windows Update > Advanced options**.
+
+#### Configuring Automatic Updates by editing the registry
+
+> [!NOTE]
+> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be resolved. Modify the registry at your own risk.
+
+In an environment that does not have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update.
+
+To do this, follow these steps:
+
+1. Select **Start**, search for "regedit", and then open Registry Editor.
+
+2. Open the following registry key:
+
+ ```
+ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
+ ```
+
+3. Add one of the following registry values to configure Automatic Update.
+
+ * NoAutoUpdate (REG_DWORD):
+
+ * **0**: Automatic Updates is enabled (default).
+
+ * **1**: Automatic Updates is disabled.
+
+ * AUOptions (REG_DWORD):
+
+ * **1**: Keep my computer up to date is disabled in Automatic Updates.
+
+ * **2**: Notify of download and installation.
+
+ * **3**: Automatically download and notify of installation.
+
+ * **4**: Automatically download and scheduled installation.
+
+ * ScheduledInstallDay (REG_DWORD):
+
+ * **0**: Every day.
+
+ * **1** through **7**: The days of the week from Sunday (1) to Saturday (7).
+
+ * ScheduledInstallTime (REG_DWORD):
+
+ **n**, where **n** equals the time of day in a 24-hour format (0-23).
+
+ * UseWUServer (REG_DWORD)
+
+ Set this value to **1** to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
+
+ * RescheduleWaitTime (REG_DWORD)
+
+ **m**, where **m** equals the time period to wait between the time Automatic Updates starts and the time that it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
+
+ > [!NOTE]
+ > This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
+
+ * NoAutoRebootWithLoggedOnUsers (REG_DWORD):
+
+ **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on.
+
+ > [!NOTE]
+ > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
+
+To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance.
+
+When you configure Automatic Updates directly by using the policy registry keys, the policy overrides the preferences that are set by the local administrative user to configure the client. If an administrator removes the registry keys at a later date, the preferences that were set by the local administrative user are used again.
+
+To determine the WSUS server that the client computers and servers connect to for updates, add the following registry values to the registry:
+```
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
+```
+
+* WUServer (REG_SZ)
+
+ This value sets the WSUS server by HTTP name (for example, http://IntranetSUS).
+
+* WUStatusServer (REG_SZ)
+
+ This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index e8912d59ed..4748ffac57 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -1,149 +1,149 @@
----
-title: Walkthrough use Group Policy to configure Windows Update for Business - Windows 10
-description: Configure Windows Update for Business settings using Group Policy.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 07/27/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Walkthrough: use Group Policy to configure Windows Update for Business
-
-
-**Applies to**
-
-- Windows 10
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-
-## Overview
-
-You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See
-
-An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**.
-
-To manage updates with Windows Update for Business as described in this topic, you should prepare with these steps, if you haven't already:
-
-- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
-- Allow access to the Windows Update service.
-- Download and install ADMX templates appropriate to your Windows 10 version. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) and [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/).
-
-
-## Set up Windows Update for Business
-
-In this example, one security group is used to manage updates. Typically we would recommend having at least three rings (early testers for pre-release builds, broad deployment for releases, critical devices for mature releases) to deploy. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) for more information.
-
-Follow these steps on a device running the Remote Server Administration Tools or on a domain controller:
-
-### Set up a ring
-1. Start Group Policy Management Console (gpmc.msc).
-2. Expand **Forest > Domains > *\*.
-3. Right-click *\* and select **Create a GPO in this domain and link it here**.
-4. In the **New GPO** dialog box, enter *Windows Update for Business - Group 1* as the name of the new Group Policy Object.
-5. Right-click the **Windows Update for Business - Group 1" object, and then select **Edit**.
-6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices.
-
-
-## Offering
-
-You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time.
-
-### Manage which updates are offered
-
-Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates.
-
-- Drivers (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates**
-- Microsoft product updates (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Get updates for other Microsoft Products**
-
-We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. We also recommend that you leave the "Microsoft product updates" setting on.
-
-### Manage when updates are offered
-You can defer or pause the installation of updates for a set period of time.
-
-#### Defer or pause an update
-
-A Windows Update for Business administrator can defer or pause updates and preview builds. You can defer features updates for up to 365 days. You can pause feature or quality updates for up to 35 days from a given start date that you specify.
-
-- Defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received**
-- Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received**
-
-#### Example
-
-In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days.
-
-
-
-When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
-
-##### Five days later
-The devices in the fast ring are offered the quality update the next time they scan for updates.
-
-
-
-##### Ten days later
-Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
-
-
-
-If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
-
-##### What if a problem occurs with the update?
-
-In this example, some problem is discovered during the deployment of the update to the "pilot" ring.
-
-
-
-At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the **Pause quality updates** check box.
-
-
-
-Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
-
-
-
-#### Set branch readiness level for feature updates
-
-This policy only applies to feature updates. To enable preview builds for devices in your organization, set the "Enable preview builds" policy and then use the "Select when preview builds and feature updates are received" policy.
-
-We recommend that you set up a ring to receive preview builds by joining the Windows Insider Program for Business. By having a ring of devices receiving "pre-release slow" builds and learning about commercial pre-release features, you can ensure that any issues you have with the release are fixed before it is ever released and far before you broadly deploy.
-
-- Enable preview builds: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage Preview Builds**
-
-
-
-- Set branch readiness level: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received**
-
-
-
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-- [Manage device restarts after updates](waas-restart.md)
-
-
-
-
-
+---
+title: Walkthrough use Group Policy to configure Windows Update for Business - Windows 10
+description: Configure Windows Update for Business settings using Group Policy.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.author: greg-lindsay
+ms.date: 07/27/2017
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Walkthrough: use Group Policy to configure Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+
+## Overview
+
+You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See
+
+An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**.
+
+To manage updates with Windows Update for Business as described in this topic, you should prepare with these steps, if you haven't already:
+
+- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
+- Allow access to the Windows Update service.
+- Download and install ADMX templates appropriate to your Windows 10 version. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) and [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/).
+
+
+## Set up Windows Update for Business
+
+In this example, one security group is used to manage updates. Typically we would recommend having at least three rings (early testers for pre-release builds, broad deployment for releases, critical devices for mature releases) to deploy. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) for more information.
+
+Follow these steps on a device running the Remote Server Administration Tools or on a domain controller:
+
+### Set up a ring
+1. Start Group Policy Management Console (gpmc.msc).
+2. Expand **Forest > Domains > *\*.
+3. Right-click *\* and select **Create a GPO in this domain and link it here**.
+4. In the **New GPO** dialog box, enter *Windows Update for Business - Group 1* as the name of the new Group Policy Object.
+5. Right-click the **Windows Update for Business - Group 1" object, and then select **Edit**.
+6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices.
+
+
+## Offering
+
+You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time.
+
+### Manage which updates are offered
+
+Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates.
+
+- Drivers (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates**
+- Microsoft product updates (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Get updates for other Microsoft Products**
+
+We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. We also recommend that you leave the "Microsoft product updates" setting on.
+
+### Manage when updates are offered
+You can defer or pause the installation of updates for a set period of time.
+
+#### Defer or pause an update
+
+A Windows Update for Business administrator can defer or pause updates and preview builds. You can defer features updates for up to 365 days. You can pause feature or quality updates for up to 35 days from a given start date that you specify.
+
+- Defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received**
+- Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received**
+
+#### Example
+
+In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days.
+
+
+
+When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
+
+##### Five days later
+The devices in the fast ring are offered the quality update the next time they scan for updates.
+
+
+
+##### Ten days later
+Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
+
+
+
+If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
+
+##### What if a problem occurs with the update?
+
+In this example, some problem is discovered during the deployment of the update to the "pilot" ring.
+
+
+
+At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the **Pause quality updates** check box.
+
+
+
+Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
+
+
+
+#### Set branch readiness level for feature updates
+
+This policy only applies to feature updates. To enable preview builds for devices in your organization, set the "Enable preview builds" policy and then use the "Select when preview builds and feature updates are received" policy.
+
+We recommend that you set up a ring to receive preview builds by joining the Windows Insider Program for Business. By having a ring of devices receiving "pre-release slow" builds and learning about commercial pre-release features, you can ensure that any issues you have with the release are fixed before it is ever released and far before you broadly deploy.
+
+- Enable preview builds: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Manage Preview Builds**
+
+
+
+- Set branch readiness level: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received**
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
+
+
+
+
+
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 30f7702f19..7736d4e6c7 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -1,293 +1,295 @@
----
-title: Walkthrough use Intune to configure Windows Update for Business (Windows 10)
-description: Configure Windows Update for Business settings using Microsoft Intune.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 07/27/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Walkthrough: use Microsoft Intune to configure Windows Update for Business
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-
-You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
-
-Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build.
-
-To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings.
-
->[!NOTE]
->Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune)
-
-## Configure Windows Update for Business in Windows 10, version 1511
-
-In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
-
-- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
-- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
-
->[!NOTE]
->Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only.
-
-### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral
-
-1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
-
-2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
-
- 
-
-3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
-
-4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
-
-5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
-
-6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**.
-
-7. In the **Value** box, type **1**, and then click **OK**.
-
- >[!NOTE]
- >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
-
- 
-
-8. For this deployment ring, you’re required to enable only CBB, so click **Save Policy**.
-
-9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
-
- >[!NOTE]
- >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
-
-10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**.
-
-You have now configured the **Ring 4 Broad business users** deployment ring to enable the CBB servicing branch. Now, you must configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 1-month delay for feature updates.
-
-### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals
-
-1. In the Policy workspace, click **Configuration Policies**, and then click **Add**.
-
-2. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
-
-3. Name the policy **Windows Update for Business – CBB2**. Then, in the **OMA-URI Settings** section, click **Add**.
- In this policy, you add two OMA-URI settings, one for each deferment type.
-
-4. In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**.
-
-6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**.
-
-7. Click **OK** to save the setting.
-
-8. In the **OMA-URI Settings** section, click **Add**.
-
-9. For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**.
-
-11. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**.
-
-12. In the **Value** box, type **1**.
-
-13. Click **OK** to save the setting.
-
-14. In the **OMA-URI Settings** section, click **Add**.
-
-15. For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**.
-
-17. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**.
-
-18. In the **Value** box, type **1**.
-
-19. Click **OK** to save the setting.
-
- Three settings should appear in the **Windows Update for Business – CBB2** policy.
-
- 
-
-20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt.
-
-21. In the **Manage Deployment** dialog box, select the **Ring 5 Broad business users #2** computer group, click **Add**, and then click **OK**.
-
-## Configure Windows Update for Business in Windows 10 version 1607
-
-To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings.
-
-In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates:
-
-- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 28 days after they are released.
-- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch.
-- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days.
-
-### Configure Ring 2 Pilot Business Users policy
-
-1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
-
-2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
-
- 
-
-3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
-
-4. Name the policy **Windows Update for Business - CB2**. Then, in the **OMA-URI Settings** section, click **Add**.
-
-4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list.
-
-6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
-
-7. In the **Value** box, type **0**, and then click **OK**.
-
- >[!NOTE]
- >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
-
- 
-
-8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
-
-8. In **Setting name**, type **Defer feature updates for 28 days**, and then select **Integer** from the **Data type** list.
-10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
-11. In the **Value** box, type **28**, and then click **OK**.
-
- 
-
-9. Click **Save Policy**.
-
-9. In the **Deploy Policy: Windows Update for Business – CB2** dialog box, click **Yes**.
-
- >[!NOTE]
- >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
-
-10. In the **Manage Deployment: Windows Update for Business – CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**.
-
-You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they’re available.
-
-### Configure Ring 4 Broad business users policy
-
-2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
-
- 
-
-3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
-
-4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
-
-5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
-
-6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
-
-7. In the **Value** box, type **1**, and then click **OK**.
-
- >[!NOTE]
- >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
-
-
-8. Because the **Ring 4 Broad business users** deployment ring receives the CBB feature updates immediately, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
-
-9. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list.
-
-10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
-
-11. In the **Value** box, type **0**, and then click **OK**.
-
- 
-
-12. Click **Save Policy**.
-
-13. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
-
- >[!NOTE]
- >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
-
-14. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**.
-
-You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they’re available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates.
-
-
-### Configure Ring 5 Broad business users \#2 policy
-
-2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
-
- 
-
-3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
-
-4. Name the policy **Windows Update for Business - CBB2**. Then, in the **OMA-URI Settings** section, click **Add**.
-
-5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
-
-6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
-
-7. In the **Value** box, type **1**, and then click **OK**.
-
- >[!NOTE]
- >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
-
-
-8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
-
-9. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list.
-
-10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**.
-
-11. In the **Value** box, type **7**, and then click **OK**.
-
-12. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
-
-13. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list.
-
-14. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
-
-15. In the **Value** box, type **14**, and then click **OK**.
-
- 
-
-16. Click **Save Policy**.
-
-17. In the **Deploy Policy: Windows Update for Business – CBB2** dialog box, click **Yes**.
-
- >[!NOTE]
- >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
-
-18. In the **Manage Deployment: Windows Update for Business – CBB2** dialog box, select the **Ring 5 Broad Business Users #2** group, click **Add**, and then click **OK**.
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-- [Manage device restarts after updates](waas-restart.md)
-
-
-
-
-
-
-
-
+---
+title: Walkthrough use Intune to configure Windows Update for Business (Windows 10)
+description: Configure Windows Update for Business settings using Microsoft Intune.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.audience: itpro
+author: greg-lindsay
+ms.date: 07/27/2017
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Walkthrough: use Microsoft Intune to configure Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
+You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
+
+Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build.
+
+To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings.
+
+>[!NOTE]
+>Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune)
+
+## Configure Windows Update for Business in Windows 10, version 1511
+
+In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
+
+- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
+- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
+
+>[!NOTE]
+>Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only.
+
+### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral
+
+1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**.
+
+7. In the **Value** box, type **1**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+ 
+
+8. For this deployment ring, you’re required to enable only CBB, so click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**.
+
+You have now configured the **Ring 4 Broad business users** deployment ring to enable the CBB servicing branch. Now, you must configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 1-month delay for feature updates.
+
+### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals
+
+1. In the Policy workspace, click **Configuration Policies**, and then click **Add**.
+
+2. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+3. Name the policy **Windows Update for Business – CBB2**. Then, in the **OMA-URI Settings** section, click **Add**.
+ In this policy, you add two OMA-URI settings, one for each deferment type.
+
+4. In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**.
+
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**.
+
+7. Click **OK** to save the setting.
+
+8. In the **OMA-URI Settings** section, click **Add**.
+
+9. For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**.
+
+11. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**.
+
+12. In the **Value** box, type **1**.
+
+13. Click **OK** to save the setting.
+
+14. In the **OMA-URI Settings** section, click **Add**.
+
+15. For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**.
+
+17. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**.
+
+18. In the **Value** box, type **1**.
+
+19. Click **OK** to save the setting.
+
+ Three settings should appear in the **Windows Update for Business – CBB2** policy.
+
+ 
+
+20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt.
+
+21. In the **Manage Deployment** dialog box, select the **Ring 5 Broad business users #2** computer group, click **Add**, and then click **OK**.
+
+## Configure Windows Update for Business in Windows 10 version 1607
+
+To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings.
+
+In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates:
+
+- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 28 days after they are released.
+- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch.
+- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days.
+
+### Configure Ring 2 Pilot Business Users policy
+
+1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CB2**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+
+7. In the **Value** box, type **0**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+ 
+
+8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+8. In **Setting name**, type **Defer feature updates for 28 days**, and then select **Integer** from the **Data type** list.
+10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
+11. In the **Value** box, type **28**, and then click **OK**.
+
+ 
+
+9. Click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CB2** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment: Windows Update for Business – CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**.
+
+You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they’re available.
+
+### Configure Ring 4 Broad business users policy
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+
+7. In the **Value** box, type **1**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+
+8. Because the **Ring 4 Broad business users** deployment ring receives the CBB feature updates immediately, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+9. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list.
+
+10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
+
+11. In the **Value** box, type **0**, and then click **OK**.
+
+ 
+
+12. Click **Save Policy**.
+
+13. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+14. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**.
+
+You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they’re available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates.
+
+
+### Configure Ring 5 Broad business users \#2 policy
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB2**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+
+7. In the **Value** box, type **1**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+
+8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+9. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list.
+
+10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**.
+
+11. In the **Value** box, type **7**, and then click **OK**.
+
+12. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+13. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list.
+
+14. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
+
+15. In the **Value** box, type **14**, and then click **OK**.
+
+ 
+
+16. Click **Save Policy**.
+
+17. In the **Deploy Policy: Windows Update for Business – CBB2** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+18. In the **Manage Deployment: Windows Update for Business – CBB2** dialog box, select the **Ring 5 Broad Business Users #2** group, click **Add**, and then click **OK**.
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md
index 35a8196735..0a0a06c7eb 100644
--- a/windows/deployment/update/windows-analytics-get-started.md
+++ b/windows/deployment/update/windows-analytics-get-started.md
@@ -78,7 +78,7 @@ To enable data sharing, configure your proxy server to whitelist the following e
>[!NOTE]
>Microsoft has a strong commitment to providing the tools and resources that put you in control of your privacy. As a result, Microsoft doesn't collect the following data from devices located in European countries (EEA and Switzerland):
>- Windows diagnostic data from Windows 8.1 devices
->- App usage data for Windows 7 devices
+>- App usage data and [Internet Explorer site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) features for Windows 7 devices
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index e7532a859e..b413218f3d 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -319,7 +319,7 @@ Each rule name and its associated unique rule identifier are listed with a descr
## Release notes
08/08/2019 - SetupDiag v1.6.0.0 is released with 60 rules, as a standalone tool available from the Download Center.
- - Much improved log detection performance. What used to take up to a minute, should take around 10 seconds or less.
+ - Log detection performance is improved. What used to take up to a minute should take around 10 seconds or less.
- Added Setup Operation and Setup Phase information to both the results log and the registry information.
- This is the last Operation and Phase that Setup was in when the failure occurred.
- Added detailed Setup Operation and Setup Phase information (and timing) to output log when /verbose is specified.
diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
index 93d1f63cc0..c6c73aa23e 100644
--- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
+++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
@@ -5,7 +5,8 @@ manager: laurawi
ms.author: greglin
description: Explains additional features of Upgrade Readiness.
ms.prod: w10
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.topic: article
ms.collection: M365-analytics
---
@@ -14,44 +15,9 @@ ms.collection: M365-analytics
This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include:
-- [Spectre and Meltdown protections](#spectre-and-meltdown-protection-status): Status of devices with respect to their anti-virus, security update, and firmware updates related to protection from the "Spectre" and "Meltdown" vulnerabilities.
- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer.
- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers.
-## Spectre and Meltdown protection status
-Microsoft has published guidance for IT Pros that outlines the steps you can take to improve protection against the hardware vulnerabilities known as "Spectre" and "Meltdown." See [Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities](https://go.microsoft.com/fwlink/?linkid=867468) for details about the vulnerabilities and steps you can take.
-
-Microsoft recommends three steps to help protect against the Spectre and Meltdown vulnerabilities:
-- Verify that you are running a supported antivirus application.
-- Apply all available Windows operating system updates, including the January 2018 and later Windows security updates.
-- Apply any applicable processor firmware (microcode) updates provided by your device manufacturer(s).
-
-Upgrade Readiness reports on status of your devices in these three areas.
-
-
-
->[!IMPORTANT]
->To provide these blades with data, ensure that your devices can reach the endpoint **http://adl.windows.com**. (See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) for more about necessary endpoints and how to whitelist them.)
-
-### Anti-virus status blade
-This blade helps you determine if your devices' anti-virus solution is compatible with the latest Windows operating system updates. It shows the number of devices that have an anti-virus solution with no known issues, issues reported, or an unknown status for a particular Windows security update. In the following example, an anti-virus solution that has no known issues with the January 3, 2018 Windows update is installed on about 2,800 devices.
-
-
-
-### Security update status blade
-This blade indicates whether a Windows security update that includes Spectre- or Meltdown-related fixes (January 3, 2018 or later) has been installed, as well as whether specific fixes have been disabled. Though protections are enabled by default on devices running Windows (but not Windows Server) operating systems, some IT administrators might choose to disable specific protections. In the following example, about 4,300 devices have a Windows security update that includes Spectre or Meltdown protections installed, and those protections are enabled.
-
-
-
->[!IMPORTANT]
->If you are seeing computers with statuses of either “Unknown – action may be required” or “Installed, but mitigation status unknown,” it is likely that you need to whitelist the **http://adl.windows.com** endpoint.
-
-### Firmware update status blade
-This blade reports the number of devices that have installed a firmware update that includes Spectre or Meltdown protections. The blade might report a large number of blank, “unknown”, or “to be determined” statuses at first. As CPU information is provided by partners, the blade will automatically update with no further action required on your part.
-
-
-
-
## Site discovery
The IE site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index 1eef483854..8ad77cca4e 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -1,190 +1,191 @@
----
-title: Upgrade Readiness deployment script (Windows 10)
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: Deployment script for Upgrade Readiness.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness deployment script
-
-To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
-
->[!IMPORTANT]
->Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
-
->[!IMPORTANT]
->The latest version of the Upgrade Readiness Script is **2.4.4 - 10.10.2018**
-
-For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/New-version-of-the-Upgrade-Analytics-Deployment-Script-available/ba-p/187164?advanced=false&collapse_discussion=true&q=new%20version%20of%20the%20upgrade%20analytics%20deployment%20script%20available&search_type=thread).
-
-> The following guidance applies to version **2.4.4 - 10.10.2018** of the Upgrade Readiness deployment script. If you are using an older version, download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
-
-The Upgrade Readiness deployment script does the following:
-
-1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
-2. Verifies that user computers can send data to Microsoft.
-3. Checks whether the computer has a pending restart.
-4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
-5. If enabled, turns on verbose mode for troubleshooting.
-6. Initiates the collection of the diagnostic data that Microsoft needs to assess your organization’s upgrade readiness.
-7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
-
-## Running the script
-
->There should be no performance impact caused by the script. The script is a light wrapper of Windows in-box components that undergo performance testing and optimization to avoid any performance impact. However, typically the script is scheduled to be run outside of working hours.
->
->Do not run the script at each sign-on. It is recommended to run the script once every 30 days.
->
->The length of time the script takes to run on each system depends on the number of apps and drivers, and the type of hardware. Anti-virus software scanning simultaneously can increase the script run time, but the script should require no longer than 10 minutes to run, and typically the time is much shorter. If the script is observed running for an extended period of time, please run the Pilot script, and collect logs to share with Microsoft. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
-
-To run the Upgrade Readiness deployment script:
-
-1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
-
-2. Edit the following parameters in RunConfig.bat:
-
- 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
-
- 2. Input your commercial ID key. To find your commercial ID, first navigate to the **Solutions** tab for your workspace, and then select the solution. From there, select the **Settings** page, where you can find and copy your commercial ID:
-
- 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
-
- > *logMode = 0 log to console only*
- >
- > *logMode = 1 log to file and console*
- >
- > *logMode = 2 log to file only*
-
-3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
-
- > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
- >
- > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
- >
- > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
- >
- > *IEOptInLevel = 3 Data collection is enabled for all sites*
-
-4. The deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
-
- The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
-
- This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
-
- \*vortex\*.data.microsoft.com
- \*settings\*.data.microsoft.com
-
-5. The deployment script configures insider builds to continue to send the device name to the diagnostic data management service and the analytics portal. If you do not want to have insider builds send the device name sent to analytics and be available in the analytics portal, set **DeviceNAmeOptIn = false**. By default it is true, which preserves the behavior on previous versions of Windows. This setting only applies to insider builds. Note that the device name is also sent to AppInsights, so to ensure the device name is not sent to either place you would need to also set **AppInsightsOptIn = false**.
-
-6. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
-
-## Exit codes
-
-The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
-
-| Exit code | Suggested fix |
-|-----------|--------------|
-| 0 - Success | N/A |
-| 1 - Unexpected error occurred while executing the script. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again. |
-| 2 - Error when logging to console. $logMode = 0. (console only) | Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file. |
-| 3 - Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
-| 4 - Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
-| 5 - Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
-| 6 - The commercialID parameter is set to unknown. | Modify the runConfig.bat file to set the CommercialID value. The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace. |
-| 8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection**. The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
-| 9 - The script failed to write Commercial Id to registry.
-Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
-| 10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the deployment script is running in a context that has access to the registry key. |
-| 11 - Function **SetupCommercialId** failed with an unexpected exception. The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the configuration script has access to this location. |
-| 12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings. | **Http Get** on the end points did not return a success exit code. For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive. For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) |
-| 13 - Can’t connect to Microsoft - setting. | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. |
-| 14 - Can’t connect to Microsoft - compatexchange. An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). |
-| 15 - Function CheckVortexConnectivity failed with an unexpected exception. | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. |
-| 16 - The computer requires a reboot before running the script. | Restart the device to complete the installation of the compatibility update and related updates. Reboot the computer before running the Upgrade Readiness deployment script. |
-| 17 - Function **CheckRebootRequired** failed with an unexpected exception. | Restart the device to complete installation of the compatibility update and related updates. Check the logs for the exception message and the HResult. |
-|18 - Appraiser KBs not installed or **appraiser.dll** not found. | Either the Appraiser-related updates are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic. |
-| 19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception. | Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed. |
-| 20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\AppCompatFlags\Appraiser** | The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. |
-| 21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 22 - **RunAppraiser** failed with unexpected exception. | Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file. |
-| 23 - Error finding system variable **%WINDIR%**. | Verify that this environment variable is configured on the computer. |
-| 24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult. |
-| 25 - The function **SetIEDataOptIn** failed with unexpected exception. | Check the logs for the exception message and HResult. |
-| 27 - The script is not running under **System** account. | The Upgrade Readiness configuration script must be run as **System**. |
-| 28 - Could not create log file at the specified **logPath**. | Make sure the deployment script has access to the location specified in the **logPath** parameter. |
-| 29 - Connectivity check failed for proxy authentication. | Install cumulative updates on the device and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688). |
-| 30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled. | The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). |
-| 31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled by default to run daily at 0300. |
-| 32 - Appraiser version on the machine is outdated. | The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. |
-| 33 - **CompatTelRunner.exe** exited with an exit code | **CompatTelRunner.exe** runs the appraise task on the device. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow. |
-| 34 - Function **CheckProxySettings** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 35 - Function **CheckAuthProxy** failed with an unexpected exception. Check the logs for the exception message and HResult. |
-| 36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 37 - **Diagnose_internal.cmd** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 38 - Function **Get-SqmID** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection** or **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | For Windows 10 devices, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will return an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
-| 40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 41 - The script failed to impersonate the currently logged on user. | The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the user that is logged on. The script also tries to mimic this, but the process failed. |
-| 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. |
-| 45 - Diagtrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. |
-| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercial ID from your workspace. To find your commercial ID, first navigate to the Solutions tab for your workspace in Azure Portal, and then select the solution. From there, select the **Settings** page, where you can find and copy your commercial ID.|
-| 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. |
-| 51 - RunCensus failed with an unexpected exception. | RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. The most common cause is incorrect setup of diagnostic data. Check the ExceptionHResult and ExceptionMessage for more details. |
-| 52 - DeviceCensus.exe not found on a Windows 10 machine. | On computers running Windows 10, the process devicecensus.exe should be present in the \system32 directory. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. |
-| 53 - There is a different CommercialID present at the GPO path: **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection**. This will take precedence over the CommercialID provided in the script. | Provide the correct CommercialID at the GPO location. |
-| 54 - Microsoft Account Sign In Assistant Service is Disabled. | This service is required for devices running Windows 10. The diagnostic data client relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). |
-| 55 - SetDeviceNameOptIn function failed to create registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | The function SetDeviceNameOptIn sets the registry key value which determines whether to send the device name in diagnostic data. The function tries to create the registry key path if it does not already exist. Verify that the account has the correct permissions to change or add registry keys. |
-| 56 - SetDeviceNameOptIn function failed to create property AllowDeviceNameInTelemetry at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys.|
-| 57 - SetDeviceNameOptIn function failed to update AllowDeviceNameInTelemetry property to value 1 at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys. |
-| 58 - SetDeviceNameOptIn function failed with unexpected exception | The function SetDeviceNameOptIn failed with an unexpected exception. |
-| 59 - CleanupOneSettings failed to delete LastPersistedEventTimeOrFirstBoot property at registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack** |The CleanupOneSettings function clears some of the cached values needed by the Appraiser which is the data collector on the monitored device. This helps in the download of the most recent for accurate running of the data collector. Verify that the account has the correct permissions to change or add registry keys. |
-| 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. |
-| 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. |
-| 62 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is a REG_DWORD. |
-| 63 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. |
-| 64 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is a REG_DWORD. |
-| 65 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**. |
-| 66 - All recent data uploads for the Universal Telemetry Client failed. | Review the UtcConnectionReport in WMI in the namespace **root\cimv2\mdm\dmmap** under the **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** class. Only SYSTEM has access to this class. Use [PSExec](https://docs.microsoft.com/sysinternals/downloads/psexec) to execute your WMI utility as SYSTEM. |
-| 67 - CheckUtcCsp failed with an exception | There was an error reading the WIM/CIM class **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** in the namespace **root\cimv2\mdm\dmmap**. Review system for WMI errors. |
-
-
-
-
-
-
-> [!NOTE]
-> **Additional steps to follow if you receive exit code 33**
->
-> Check the exit code for any of these messages:
->
-> - CompatTelRunner.exe exited with last error code: 0x800703F1
-> - CompatTelRunner.exe exited with last error code: 0x80070005
-> - CompatTelRunner.exe exited with last error code: 0x80080005
->
->
-> If the exit code includes any of those messages, then run these commands from an elevated command prompt:
->
-> 1. Net stop diagtrack
-> 2. Net stop pcasvc
-> 3. Net stop dps
-> 4. Del %windir%\appcompat\programs\amcache.hve
-> 5. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v AmiHivePermissionsCorrect /f
-> 6. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v LogFlags /t REG_DWORD /d 4 /f
-> 7. Net start diagtrack
-> 8. Net start pcasvc
-> 9. Net start dps
->
-> Then run the Enterprise Config script (RunConfig.bat) again.
->
-> If the script still fails, then send mail to uasupport@microsoft.com including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well.
-
+---
+title: Upgrade Readiness deployment script (Windows 10)
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: Deployment script for Upgrade Readiness.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+ms.collection: M365-analytics
+---
+
+# Upgrade Readiness deployment script
+
+To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
+
+>[!IMPORTANT]
+>Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
+
+>[!IMPORTANT]
+>The latest version of the Upgrade Readiness Script is **2.4.4 - 10.10.2018**
+
+For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/New-version-of-the-Upgrade-Analytics-Deployment-Script-available/ba-p/187164?advanced=false&collapse_discussion=true&q=new%20version%20of%20the%20upgrade%20analytics%20deployment%20script%20available&search_type=thread).
+
+> The following guidance applies to version **2.4.4 - 10.10.2018** of the Upgrade Readiness deployment script. If you are using an older version, download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+
+The Upgrade Readiness deployment script does the following:
+
+1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
+2. Verifies that user computers can send data to Microsoft.
+3. Checks whether the computer has a pending restart.
+4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
+5. If enabled, turns on verbose mode for troubleshooting.
+6. Initiates the collection of the diagnostic data that Microsoft needs to assess your organization’s upgrade readiness.
+7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
+
+## Running the script
+
+>There should be no performance impact caused by the script. The script is a light wrapper of Windows in-box components that undergo performance testing and optimization to avoid any performance impact. However, typically the script is scheduled to be run outside of working hours.
+>
+>Do not run the script at each sign-on. It is recommended to run the script once every 30 days.
+>
+>The length of time the script takes to run on each system depends on the number of apps and drivers, and the type of hardware. Anti-virus software scanning simultaneously can increase the script run time, but the script should require no longer than 10 minutes to run, and typically the time is much shorter. If the script is observed running for an extended period of time, please run the Pilot script, and collect logs to share with Microsoft. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
+
+To run the Upgrade Readiness deployment script:
+
+1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+
+2. Edit the following parameters in RunConfig.bat:
+
+ 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
+
+ 2. Input your commercial ID key. To find your commercial ID, first navigate to the **Solutions** tab for your workspace, and then select the solution. From there, select the **Settings** page, where you can find and copy your commercial ID:
+
+ 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
+
+ > *logMode = 0 log to console only*
+ >
+ > *logMode = 1 log to file and console*
+ >
+ > *logMode = 2 log to file only*
+
+3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
+
+ > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+ >
+ > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+ >
+ > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+ >
+ > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+4. The deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
+
+ The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
+
+ This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
+
+ \*vortex\*.data.microsoft.com
+ \*settings\*.data.microsoft.com
+
+5. The deployment script configures insider builds to continue to send the device name to the diagnostic data management service and the analytics portal. If you do not want to have insider builds send the device name sent to analytics and be available in the analytics portal, set **DeviceNAmeOptIn = false**. By default it is true, which preserves the behavior on previous versions of Windows. This setting only applies to insider builds. Note that the device name is also sent to AppInsights, so to ensure the device name is not sent to either place you would need to also set **AppInsightsOptIn = false**.
+
+6. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+
+## Exit codes
+
+The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
+
+| Exit code | Suggested fix |
+|-----------|--------------|
+| 0 - Success | N/A |
+| 1 - Unexpected error occurred while executing the script. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again. |
+| 2 - Error when logging to console. $logMode = 0. (console only) | Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file. |
+| 3 - Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
+| 4 - Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
+| 5 - Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
+| 6 - The commercialID parameter is set to unknown. | Modify the runConfig.bat file to set the CommercialID value. The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace. |
+| 8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection**. The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
+| 9 - The script failed to write Commercial Id to registry.
+Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
+| 10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the deployment script is running in a context that has access to the registry key. |
+| 11 - Function **SetupCommercialId** failed with an unexpected exception. The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the configuration script has access to this location. |
+| 12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings. | **Http Get** on the end points did not return a success exit code. For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive. For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) |
+| 13 - Can’t connect to Microsoft - setting. | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. |
+| 14 - Can’t connect to Microsoft - compatexchange. An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). |
+| 15 - Function CheckVortexConnectivity failed with an unexpected exception. | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. |
+| 16 - The computer requires a reboot before running the script. | Restart the device to complete the installation of the compatibility update and related updates. Reboot the computer before running the Upgrade Readiness deployment script. |
+| 17 - Function **CheckRebootRequired** failed with an unexpected exception. | Restart the device to complete installation of the compatibility update and related updates. Check the logs for the exception message and the HResult. |
+|18 - Appraiser KBs not installed or **appraiser.dll** not found. | Either the Appraiser-related updates are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic. |
+| 19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception. | Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed. |
+| 20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\AppCompatFlags\Appraiser** | The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. |
+| 21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 22 - **RunAppraiser** failed with unexpected exception. | Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file. |
+| 23 - Error finding system variable **%WINDIR%**. | Verify that this environment variable is configured on the computer. |
+| 24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult. |
+| 25 - The function **SetIEDataOptIn** failed with unexpected exception. | Check the logs for the exception message and HResult. |
+| 27 - The script is not running under **System** account. | The Upgrade Readiness configuration script must be run as **System**. |
+| 28 - Could not create log file at the specified **logPath**. | Make sure the deployment script has access to the location specified in the **logPath** parameter. |
+| 29 - Connectivity check failed for proxy authentication. | Install cumulative updates on the device and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688). |
+| 30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled. | The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). |
+| 31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled by default to run daily at 0300. |
+| 32 - Appraiser version on the machine is outdated. | The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. |
+| 33 - **CompatTelRunner.exe** exited with an exit code | **CompatTelRunner.exe** runs the appraise task on the device. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow. |
+| 34 - Function **CheckProxySettings** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 35 - Function **CheckAuthProxy** failed with an unexpected exception. Check the logs for the exception message and HResult. |
+| 36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 37 - **Diagnose_internal.cmd** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 38 - Function **Get-SqmID** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection** or **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | For Windows 10 devices, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will return an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
+| 40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 41 - The script failed to impersonate the currently logged on user. | The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the user that is logged on. The script also tries to mimic this, but the process failed. |
+| 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. |
+| 45 - Diagtrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. |
+| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercial ID from your workspace. To find your commercial ID, first navigate to the Solutions tab for your workspace in Azure Portal, and then select the solution. From there, select the **Settings** page, where you can find and copy your commercial ID.|
+| 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. |
+| 51 - RunCensus failed with an unexpected exception. | RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. The most common cause is incorrect setup of diagnostic data. Check the ExceptionHResult and ExceptionMessage for more details. |
+| 52 - DeviceCensus.exe not found on a Windows 10 machine. | On computers running Windows 10, the process devicecensus.exe should be present in the \system32 directory. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. |
+| 53 - There is a different CommercialID present at the GPO path: **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection**. This will take precedence over the CommercialID provided in the script. | Provide the correct CommercialID at the GPO location. |
+| 54 - Microsoft Account Sign In Assistant Service is Disabled. | This service is required for devices running Windows 10. The diagnostic data client relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). |
+| 55 - SetDeviceNameOptIn function failed to create registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | The function SetDeviceNameOptIn sets the registry key value which determines whether to send the device name in diagnostic data. The function tries to create the registry key path if it does not already exist. Verify that the account has the correct permissions to change or add registry keys. |
+| 56 - SetDeviceNameOptIn function failed to create property AllowDeviceNameInTelemetry at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys.|
+| 57 - SetDeviceNameOptIn function failed to update AllowDeviceNameInTelemetry property to value 1 at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys. |
+| 58 - SetDeviceNameOptIn function failed with unexpected exception | The function SetDeviceNameOptIn failed with an unexpected exception. |
+| 59 - CleanupOneSettings failed to delete LastPersistedEventTimeOrFirstBoot property at registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack** |The CleanupOneSettings function clears some of the cached values needed by the Appraiser which is the data collector on the monitored device. This helps in the download of the most recent for accurate running of the data collector. Verify that the account has the correct permissions to change or add registry keys. |
+| 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. |
+| 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. |
+| 62 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is a REG_DWORD. |
+| 63 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. |
+| 64 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is a REG_DWORD. |
+| 65 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**. |
+| 66 - All recent data uploads for the Universal Telemetry Client failed. | Review the UtcConnectionReport in WMI in the namespace **root\cimv2\mdm\dmmap** under the **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** class. Only SYSTEM has access to this class. Use [PSExec](https://docs.microsoft.com/sysinternals/downloads/psexec) to execute your WMI utility as SYSTEM. |
+| 67 - CheckUtcCsp failed with an exception | There was an error reading the WIM/CIM class **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** in the namespace **root\cimv2\mdm\dmmap**. Review system for WMI errors. |
+
+
+
+
+
+
+> [!NOTE]
+> **Additional steps to follow if you receive exit code 33**
+>
+> Check the exit code for any of these messages:
+>
+> - CompatTelRunner.exe exited with last error code: 0x800703F1
+> - CompatTelRunner.exe exited with last error code: 0x80070005
+> - CompatTelRunner.exe exited with last error code: 0x80080005
+>
+>
+> If the exit code includes any of those messages, then run these commands from an elevated command prompt:
+>
+> 1. Net stop diagtrack
+> 2. Net stop pcasvc
+> 3. Net stop dps
+> 4. Del %windir%\appcompat\programs\amcache.hve
+> 5. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v AmiHivePermissionsCorrect /f
+> 6. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v LogFlags /t REG_DWORD /d 4 /f
+> 7. Net start diagtrack
+> 8. Net start pcasvc
+> 9. Net start dps
+>
+> Then run the Enterprise Config script (RunConfig.bat) again.
+>
+> If the script still fails, then contact support@microsoft.com and share the log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well.
+
diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
index 671ba50c38..bb0ea00851 100644
--- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
+++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -1,63 +1,63 @@
----
-title: Use Upgrade Readiness to manage Windows upgrades (Windows 10)
-ms.reviewer:
-manager: laurawi
-description: Describes how to use Upgrade Readiness to manage Windows upgrades.
-keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
-ms.localizationpriority: medium
-ms.prod: w10
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.topic: article
----
-
-# Use Upgrade Readiness to manage Windows upgrades
-
->[!IMPORTANT]
->>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started).
-
-You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
-
-- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
-- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
-
-When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
-
-
-
-Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step.
-
->**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB).
-
-The following information and workflow is provided:
-
-- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers.
-- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications.
-- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications.
-- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process.
-
-Also see the following topic for information about additional items that can be affected by the upgrade process:
-
-- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity.
-
-## Target version
-
-The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example:
-
-
-
-The default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version.
-
-The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
-
-You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, Windows 10 version 1703, Windows 10 version 1709 and Windows 10 version 1803.
-
-To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
-
-
-
->You must be signed in to Upgrade Readiness as an administrator to view settings.
-
-On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
-
-
+---
+title: Use Upgrade Readiness to manage Windows upgrades (Windows 10)
+ms.reviewer:
+manager: laurawi
+description: Describes how to use Upgrade Readiness to manage Windows upgrades.
+keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
+ms.localizationpriority: medium
+ms.prod: w10
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
+ms.topic: article
+---
+
+# Use Upgrade Readiness to manage Windows upgrades
+
+>[!IMPORTANT]
+>>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started).
+
+You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
+
+- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
+- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
+
+When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
+
+
+
+Blue tiles enumerate each step in the workflow. White tiles show data to help you get started, to monitor your progress, and to complete each step.
+>**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Semi-Annual Channel.
+
+The following information and workflow is provided:
+
+- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers.
+- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications.
+- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications.
+- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process.
+
+Also see the following topic for information about additional items that can be affected by the upgrade process:
+
+- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity.
+
+## Target version
+
+The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example:
+
+
+
+The default target version in Upgrade Readiness is set to the released version of the Semi-Annual Channel. Check [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) to learn the current version in the Semi-Annual Channel. The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version.
+
+The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
+
+You can change the Windows 10 version you want to target. All currently supported versions of Windows 10 are available options.
+
+To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
+
+
+
+>You must be signed in to Upgrade Readiness as an administrator to view settings.
+
+On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
+
+
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index cf9e600103..c1cf90e9a0 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -1,283 +1,284 @@
----
-title: Windows 10 upgrade paths (Windows 10)
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.pagetype: mobile
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 upgrade paths
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-## Upgrade paths
-
-This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
-
-> **Windows 10 version upgrade**: You can directly upgrade a supported version of Windows 10 to a newer version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
->
-> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
->
-> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup).
->
-> **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
->
-> **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
-
-✔ = Full upgrade is supported including personal data, settings, and applications.
-D = Edition downgrade; personal data is maintained, applications and settings are removed.
-
-
-
-
-
-
-
Windows 10 Home
-
Windows 10 Pro
-
Windows 10 Pro Education
-
Windows 10 Education
-
Windows 10 Enterprise
-
Windows 10 Mobile
-
Windows 10 Mobile Enterprise
-
-
-
Windows 7
-
-
-
Starter
-
✔
-
✔
-
✔
-
✔
-
-
-
-
-
-
Home Basic
-
✔
-
✔
-
✔
-
✔
-
-
-
-
-
-
Home Premium
-
✔
-
✔
-
✔
-
✔
-
-
-
-
-
-
Professional
-
D
-
✔
-
✔
-
✔
-
✔
-
-
-
-
-
Ultimate
-
D
-
✔
-
✔
-
✔
-
✔
-
-
-
-
-
Enterprise
-
-
-
-
✔
-
✔
-
-
-
-
-
Windows 8.1
-
-
-
(Core)
-
✔
-
✔
-
✔
-
✔
-
-
-
-
-
-
Connected
-
✔
-
✔
-
✔
-
✔
-
-
-
-
-
-
Pro
-
D
-
✔
-
✔
-
✔
-
✔
-
-
-
-
-
Pro Student
-
D
-
✔
-
✔
-
✔
-
✔
-
-
-
-
-
Pro WMC
-
D
-
✔
-
✔
-
✔
-
✔
-
-
-
-
-
Enterprise
-
-
-
-
✔
-
✔
-
-
-
-
-
Embedded Industry
-
-
-
-
-
✔
-
-
-
-
-
Windows RT
-
-
-
-
-
-
-
-
-
-
Windows Phone 8.1
-
-
-
-
-
-
-
✔
-
-
-
Windows 10
-
-
-
Home
-
-
✔
-
✔
-
✔
-
-
-
-
-
-
Pro
-
D
-
-
✔
-
✔
-
✔
-
-
-
-
-
Education
-
-
-
-
-
D
-
-
-
-
-
Enterprise
-
-
-
-
✔
-
-
-
-
-
-
Mobile
-
-
-
-
-
-
-
✔
-
-
-
Mobile Enterprise
-
-
-
-
-
-
D
-
-
-
-
-
-## Related Topics
-
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
-
-
-
-
-
+---
+title: Windows 10 upgrade paths (Windows 10)
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.pagetype: mobile
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 upgrade paths
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+## Upgrade paths
+
+This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
+
+> **Windows 10 version upgrade**: You can directly upgrade a supported version of Windows 10 to a newer version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
+>
+> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
+>
+> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
+>
+> **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
+>
+> **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
+
+✔ = Full upgrade is supported including personal data, settings, and applications.
+D = Edition downgrade; personal data is maintained, applications and settings are removed.
+
+
+
+
+
+
+
Windows 10 Home
+
Windows 10 Pro
+
Windows 10 Pro Education
+
Windows 10 Education
+
Windows 10 Enterprise
+
Windows 10 Mobile
+
Windows 10 Mobile Enterprise
+
+
+
Windows 7
+
+
+
Starter
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
+
Home Basic
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
+
Home Premium
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
+
Professional
+
D
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
Ultimate
+
D
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
Enterprise
+
+
+
+
✔
+
✔
+
+
+
+
+
Windows 8.1
+
+
+
(Core)
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
+
Connected
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
+
Pro
+
D
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
Pro Student
+
D
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
Pro WMC
+
D
+
✔
+
✔
+
✔
+
✔
+
+
+
+
+
Enterprise
+
+
+
+
✔
+
✔
+
+
+
+
+
Embedded Industry
+
+
+
+
+
✔
+
+
+
+
+
Windows RT
+
+
+
+
+
+
+
+
+
+
Windows Phone 8.1
+
+
+
+
+
+
+
✔
+
+
+
Windows 10
+
+
+
Home
+
+
✔
+
✔
+
✔
+
+
+
+
+
+
Pro
+
D
+
+
✔
+
✔
+
✔
+
+
+
+
+
Education
+
+
+
+
+
D
+
+
+
+
+
Enterprise
+
+
+
+
✔
+
+
+
+
+
+
Mobile
+
+
+
+
+
+
+
✔
+
+
+
Mobile Enterprise
+
+
+
+
+
+
D
+
+
+
+
+
+## Related Topics
+
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+
+
+
+
+
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index 8e45d24439..2eab7ea7b8 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -1,268 +1,269 @@
----
-title: Offline Migration Reference (Windows 10)
-description: Offline Migration Reference
-ms.assetid: f347547c-d601-4c3e-8f2d-0138edeacfda
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Offline Migration Reference
-
-
-Offline migration enables the ScanState tool to run inside a different Windows® operating system than the Windows operating system from which ScanState is gathering files and settings. There are two primary offline scenarios:
-
-- **Windows PE.** The ScanState tool can be run from within Windows PE, gathering files and settings from the offline Windows operating system on that machine.
-
-- **Windows.old.** The ScanState tool can now gather files and settings from the Windows.old directory that is created during Windows installation on a partition that contains a previous installation of Windows. For example, the ScanState tool can run in Windows 10, gathering files from a previous Windows 7or Windows 8 installation contained in the Windows.old directory.
-
-When you use User State Migration Tool (USMT) 10.0 to gather and restore user state, offline migration reduces the cost of deployment by:
-
-- **Reducing complexity.** In computer-refresh scenarios, migrations from the Windows.old directory reduce complexity by eliminating the need for the ScanState tool to be run before the operating system is deployed. Also, migrations from the Windows.old directory enable ScanState and LoadState to be run successively.
-
-- **Improving performance.** When USMT runs in an offline Windows Preinstallation Environment (WinPE) environment, it has better access to the hardware resources. This may increase performance on older machines with limited hardware resources and numerous installed software applications.
-
-- **New recovery scenario.** In scenarios where a machine no longer restarts properly, it might be possible to gather user state with the ScanState tool from within WinPE.
-
-## In This Topic
-
-
-- [What Will Migrate Offline?](#bkmk-whatwillmigrate)
-
-- [What Offline Environments are Supported?](#bkmk-offlineenvironments)
-
-- [User-Group Membership and Profile Control](#bkmk-usergroupmembership)
-
-- [Command-Line Options](#bkmk-commandlineoptions)
-
-- [Environment Variables](#bkmk-environmentvariables)
-
-- [Offline.xml Elements](#bkmk-offlinexml)
-
-## What Will Migrate Offline?
-
-
-The following user data and settings migrate offline, similar to an online migration:
-
-- Data and registry keys specified in MigXML
-
-- User accounts
-
-- Application settings
-
-- Limited set of operating-system settings
-
-- EFS files
-
-- Internet Explorer® Favorites
-
-For exceptions to what you can migrate offline, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
-
-## What Offline Environments are Supported?
-
-
-The following table defines the supported combination of online and offline operating systems in USMT.
-
-
-
-
-
-
-
-
-
Running Operating System
-
Offline Operating System
-
-
-
-
-
WinPE 5.0 or greater, with the MSXML library
-
Windows Vista, Windows 7, Windows 8, Windows 10
-
-
-
Windows 7, Windows 8, Windows 10
-
Windows.old directory
-
-
-
-
-
-
-**Note**
-It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](https://go.microsoft.com/fwlink/p/?LinkId=190314).
-
-
-
-## User-Group Membership and Profile Control
-
-
-User-group membership is not preserved during offline migrations. You must configure a **<ProfileControl>** section in the Config.xml file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group:
-
-``` syntax
-
-
-
-
-
-
- *
-
-
-
-
-
-
-```
-
-For information about the format of a Config.xml file, see [Config.xml File](usmt-configxml-file.md).
-
-## Command-Line Options
-
-
-An offline migration can either be enabled by using a configuration file on the command line, or by using one of the following command line options:
-
-
-
-
-
-
-
-
-
-
Component
-
Option
-
Description
-
-
-
-
-
ScanState.exe
-
/offline:<path to offline.xml>
-
This command-line option enables the offline-migration mode and requires a path to an Offline.xml configuration file.
-
-
-
ScanState.exe
-
/offlineWinDir:<Windows directory>
-
This command-line option enables the offline-migration mode and starts the migration from the location specified. It is only for use in WinPE offline scenarios where the migration is occurring from a Windows directory.
-
-
-
ScanState.exe
-
/OfflineWinOld:<Windows.old directory>
-
This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.
-
-
-
-
-
-
-You can use only one of the **/offline**,**/offlineWinDir** , or **/OfflineWinOld** command-line options at a time; USMT does not support using more than one together.
-
-## Environment Variables
-
-
-The following system environment variables are necessary in the scenarios outlined below.
-
-
-
-
-
-
-
-
-
-
Variable
-
Value
-
Scenario
-
-
-
-
-
USMT_WORKING_DIR
-
Full path to a working directory
-
Required when USMT binaries are located on read-only media, which does not support the creation of log files or temporary storage. To set the system environment variable, at a command prompt type the following:
-
Set USMT_WORKING_DIR=[path to working directory]
-
-
-
MIG_OFFLINE_PLATFORM_ARCH
-
32 or 64
-
While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn’t function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following:
-
Set MIG_OFFLINE_PLATFORM_ARCH=32
-
-
-
-
-
-
-## Offline.xml Elements
-
-
-Use an offline.xml file when running the ScanState tool on a computer that has multiple Windows directories. The offline.xml file specifies which directories to scan for windows files. An offline.xml file can be used with the /offline option as an alternative to specifying a single Windows directory path with the /offlineDir option.
-
-### <offline>
-
-This element contains other elements that define how an offline migration is to be performed.
-
-Syntax: <offline> </offline>
-
-### <winDir>
-
-This element is a required child of **<offline>** and contains information about how the offline volume can be selected. The migration will be performed from the first element of **<winDir>** that contains a valid Windows system volume.
-
-Syntax: < winDir > </ winDir >
-
-### <path>
-
-This element is a required child of **<winDir>** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool’s working directory.
-
-Syntax: <path> c:\\windows </path>
-
--or-
-
-Syntax, when used with the **<mappings>** element: <path> C:\\, D:\\ </path>
-
-### <mappings>
-
-This element is an optional child of **<offline>**. When specified, the **<mappings>** element will override the automatically detected WinPE drive mappings. Each child **<path>** element will provide a mapping from one system volume to another. Additionally, mappings between folders can be provided, since an entire volume can be mounted to a specific folder.
-
-Syntax: <mappings> </mappings>
-
-### <failOnMultipleWinDir>
-
-This element is an optional child of **<offline>**. The **<failOnMultipleWinDir>** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **<failOnMultipleWinDir>** element isn’t present, the default behavior is that the migration does not fail.
-
-Syntax: <failOnMultipleWinDir>1</failOnMultipleWinDir> or Syntax: <failOnMultipleWinDir>0</failOnMultipleWinDir>
-
-### Offline .xml Example
-
-The following XML example illustrates some of the elements discussed earlier in this topic.
-
-``` syntax
-
-
- C:\Windows
- D:\Windows
- E:\
-
- 1
-
-```
-
-## Related topics
-
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-
-
-
-
-
-
-
-
+---
+title: Offline Migration Reference (Windows 10)
+description: Offline Migration Reference
+ms.assetid: f347547c-d601-4c3e-8f2d-0138edeacfda
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Offline Migration Reference
+
+
+Offline migration enables the ScanState tool to run inside a different Windows® operating system than the Windows operating system from which ScanState is gathering files and settings. There are two primary offline scenarios:
+
+- **Windows PE.** The ScanState tool can be run from within Windows PE, gathering files and settings from the offline Windows operating system on that machine.
+
+- **Windows.old.** The ScanState tool can now gather files and settings from the Windows.old directory that is created during Windows installation on a partition that contains a previous installation of Windows. For example, the ScanState tool can run in Windows 10, gathering files from a previous Windows 7or Windows 8 installation contained in the Windows.old directory.
+
+When you use User State Migration Tool (USMT) 10.0 to gather and restore user state, offline migration reduces the cost of deployment by:
+
+- **Reducing complexity.** In computer-refresh scenarios, migrations from the Windows.old directory reduce complexity by eliminating the need for the ScanState tool to be run before the operating system is deployed. Also, migrations from the Windows.old directory enable ScanState and LoadState to be run successively.
+
+- **Improving performance.** When USMT runs in an offline Windows Preinstallation Environment (WinPE) environment, it has better access to the hardware resources. This may increase performance on older machines with limited hardware resources and numerous installed software applications.
+
+- **New recovery scenario.** In scenarios where a machine no longer restarts properly, it might be possible to gather user state with the ScanState tool from within WinPE.
+
+## In This Topic
+
+
+- [What Will Migrate Offline?](#bkmk-whatwillmigrate)
+
+- [What Offline Environments are Supported?](#bkmk-offlineenvironments)
+
+- [User-Group Membership and Profile Control](#bkmk-usergroupmembership)
+
+- [Command-Line Options](#bkmk-commandlineoptions)
+
+- [Environment Variables](#bkmk-environmentvariables)
+
+- [Offline.xml Elements](#bkmk-offlinexml)
+
+## What Will Migrate Offline?
+
+
+The following user data and settings migrate offline, similar to an online migration:
+
+- Data and registry keys specified in MigXML
+
+- User accounts
+
+- Application settings
+
+- Limited set of operating-system settings
+
+- EFS files
+
+- Internet Explorer® Favorites
+
+For exceptions to what you can migrate offline, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+
+## What Offline Environments are Supported?
+
+
+The following table defines the supported combination of online and offline operating systems in USMT.
+
+
+
+
+
+
+
+
+
Running Operating System
+
Offline Operating System
+
+
+
+
+
WinPE 5.0 or greater, with the MSXML library
+
Windows Vista, Windows 7, Windows 8, Windows 10
+
+
+
Windows 7, Windows 8, Windows 10
+
Windows.old directory
+
+
+
+
+
+
+**Note**
+It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](https://go.microsoft.com/fwlink/p/?LinkId=190314).
+
+
+
+## User-Group Membership and Profile Control
+
+
+User-group membership is not preserved during offline migrations. You must configure a **<ProfileControl>** section in the Config.xml file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group:
+
+``` xml
+
+
+
+
+
+
+ *
+
+
+
+
+
+
+```
+
+For information about the format of a Config.xml file, see [Config.xml File](usmt-configxml-file.md).
+
+## Command-Line Options
+
+
+An offline migration can either be enabled by using a configuration file on the command line, or by using one of the following command line options:
+
+
+
+
+
+
+
+
+
+
Component
+
Option
+
Description
+
+
+
+
+
ScanState.exe
+
/offline:<path to offline.xml>
+
This command-line option enables the offline-migration mode and requires a path to an Offline.xml configuration file.
+
+
+
ScanState.exe
+
/offlineWinDir:<Windows directory>
+
This command-line option enables the offline-migration mode and starts the migration from the location specified. It is only for use in WinPE offline scenarios where the migration is occurring from a Windows directory.
+
+
+
ScanState.exe
+
/OfflineWinOld:<Windows.old directory>
+
This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.
+
+
+
+
+
+
+You can use only one of the **/offline**,**/offlineWinDir** , or **/OfflineWinOld** command-line options at a time; USMT does not support using more than one together.
+
+## Environment Variables
+
+
+The following system environment variables are necessary in the scenarios outlined below.
+
+
+
+
+
+
+
+
+
+
Variable
+
Value
+
Scenario
+
+
+
+
+
USMT_WORKING_DIR
+
Full path to a working directory
+
Required when USMT binaries are located on read-only media, which does not support the creation of log files or temporary storage. To set the system environment variable, at a command prompt type the following:
+
Set USMT_WORKING_DIR=[path to working directory]
+
+
+
MIG_OFFLINE_PLATFORM_ARCH
+
32 or 64
+
While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn’t function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following:
+
Set MIG_OFFLINE_PLATFORM_ARCH=32
+
+
+
+
+
+
+## Offline.xml Elements
+
+
+Use an offline.xml file when running the ScanState tool on a computer that has multiple Windows directories. The offline.xml file specifies which directories to scan for windows files. An offline.xml file can be used with the /offline option as an alternative to specifying a single Windows directory path with the /offlineDir option.
+
+### <offline>
+
+This element contains other elements that define how an offline migration is to be performed.
+
+Syntax: <offline> </offline>
+
+### <winDir>
+
+This element is a required child of **<offline>** and contains information about how the offline volume can be selected. The migration will be performed from the first element of **<winDir>** that contains a valid Windows system volume.
+
+Syntax: < winDir > </ winDir >
+
+### <path>
+
+This element is a required child of **<winDir>** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool’s working directory.
+
+Syntax: <path> c:\\windows </path>
+
+-or-
+
+Syntax, when used with the **<mappings>** element: <path> C:\\, D:\\ </path>
+
+### <mappings>
+
+This element is an optional child of **<offline>**. When specified, the **<mappings>** element will override the automatically detected WinPE drive mappings. Each child **<path>** element will provide a mapping from one system volume to another. Additionally, mappings between folders can be provided, since an entire volume can be mounted to a specific folder.
+
+Syntax: <mappings> </mappings>
+
+### <failOnMultipleWinDir>
+
+This element is an optional child of **<offline>**. The **<failOnMultipleWinDir>** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **<failOnMultipleWinDir>** element isn’t present, the default behavior is that the migration does not fail.
+
+Syntax: <failOnMultipleWinDir>1</failOnMultipleWinDir> or Syntax: <failOnMultipleWinDir>0</failOnMultipleWinDir>
+
+### Offline .xml Example
+
+The following XML example illustrates some of the elements discussed earlier in this topic.
+
+``` xml
+
+
+ C:\Windows
+ D:\Windows
+ E:\
+
+ 1
+
+```
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index 6b8d904b03..bc484bd496 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -1,541 +1,542 @@
----
-title: Understanding Migration XML Files (Windows 10)
-description: Understanding Migration XML Files
-ms.assetid: d3d1fe89-085c-4da8-9657-fd54b8bfc4b7
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Understanding Migration XML Files
-
-
-You can modify the behavior of a basic User State Migration Tool (USMT)10.0 migration by using XML files; these files provide instructions on where and how the USMT tools should gather and apply files and settings. USMT includes three XML files that you can use to customize a basic migration: the MigDocs.xml and MigUser.xml files, which modify how files are discovered on the source computer, and the MigApps.xml file, which is required in order to migrate supported application settings. You can also create and edit custom XML files and a Config.xml file to further customize your migration.
-
-This topic provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file. The MigDocs.xml file uses the new **GenerateDocPatterns** function available in USMT to automatically find user documents on a source computer.
-
-## In This Topic
-
-
-[Overview of the Config.xml file](#bkmk-config)
-
-[Overview of the MigApp.xml file](#bkmk-migapp)
-
-[Overview of the MigDocs.xml file](#bkmk-migdocs)
-
-[Overview of the MigUser.xml file](#bkmk-miguser)
-
-[Using multiple XML files](#bkmk-multiple)
-
-[XML rules for migrating user files](#bkmk-userfiles)
-
-[The GenerateDocPatterns function](#bkmk-generate)
-
-[Understanding the system and user context](#bkmk-context)
-
-[Sample migration rules for customized versions of XML files](#bkmk-samples)
-
-[Exclude rules usage examples](#bkmk-exclude)
-
-[Include rules usage examples](#bkmk-include)
-
-[Next Steps](#bkmk-next)
-
-## Overview of the Config.xml file
-
-
-The Config.xml file is the configuration file created by the `/genconfig` option of the ScanState tool; it can be used to modify which operating-system components are migrated by USMT. The Config.xml file can be used in conjunction with other XML files, such as in the following example: `scanstate /i:migapps.xml /i:migdocs.xml /genconfig:c:\myFolder\config.xml`. When used this way, the Config.xml file tightly controls aspects of the migration, including user profiles, data, and settings, without modifying or creating other XML files. For more information about the Config.xml file, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md).
-
-**Note**
-When modifying the XML elements in the Config.xml file, you should edit an element and set the **migrate** property to **no**, rather than deleting the element from the file. If you delete the element instead of setting the property, the component may still be migrated by rules in other XML files.
-
-
-
-## Overview of the MigApp.xml file
-
-
-The MigApp.xml file installed with USMT includes instructions to migrate the settings for the applications listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md). You must include the MigApp.xml file when using the ScanState and LoadState tools, by using the `/i` option in order to migrate application settings. The MigDocs.xml and MigUser.xml files do not migrate application settings. You can create a custom XML file to include additional applications. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md).
-
-**Important**
-The MigApps.xml file will only detect and migrate .pst files that are linked to Microsoft Office Outlook. See the [Sample migration rules for customized versions of XML files](#bkmk-samples) section of this document for more information about migrating .pst files that are not linked to Outlook.
-
-
-
-## Overview of the MigDocs.xml file
-
-
-The MigDocs.xml file uses the new **GenerateDocPatterns** helper function to create instructions for USMT to migrate files from the source computer, based on the location of the files. You can use the MigDocs.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions.
-
-The default MigDocs.xml file migrates the following:
-
-- All files on the root of the drive except %WINDIR%, %PROGRAMFILES%, %PROGRAMDATA%, or %USERS%.
-
-- All folders in the root directory of all fixed drives. For example: c:\\data\_mail\\\*\[\*\]
-
-- All files from the root of the Profiles folder, except for files in the system profile. For example: c:\\users\\name\[mail.pst\]
-
-- All folders from the root of the Profiles folder, except for the system-profile folders. For example: c:\\users\\name\\new folder\\\*\[\*\]
-
-- Standard shared folders:
-
- - CSIDL\_COMMON\_DESKTOPDIRECTORY
-
- - CSIDL\_COMMON\_FAVORITES
-
- - CSIDL\_COMMON\_DOCUMENTS
-
- - CSIDL\_COMMON\_MUSIC
-
- - CSIDL\_COMMON\_PICTURES
-
- - CSIDL\_COMMON\_VIDEO
-
- - FOLDERID\_PublicDownloads
-
-- Standard user-profile folders for each user:
-
- - CSIDL\_MYDOCUMENTS
-
- - CSIDL\_MYPICTURES
-
- - FOLDERID\_OriginalImages
-
- - CSIDL\_MYMUSIC
-
- - CSIDL\_MYVIDEO
-
- - CSIDL\_FAVORITES
-
- - CSIDL\_DESKTOP
-
- - CSIDL\_QUICKLAUNCH
-
- - FOLDERID\_Contacts
-
- - FOLDERID\_Libraries
-
- - FOLDERID\_Downloads
-
- - FOLDERID\_SavedGames
-
- - FOLDERID\_RecordedTV
-
-The default MigDocs.xml file will not migrate the following:
-
-- Files tagged with both the **hidden** and **system** attributes.
-
-- Files and folders on removable drives.
-
-- Data from the %WINDIR%, %PROGRAMDATA%, and %PROGRAMFILES% folders.
-
-- Folders that contain installed applications.
-
-You can also use the **/genmigxml** option with the ScanState tool to review and modify what files will be migrated.
-
-## Overview of the MigUser.xml file
-
-
-The MigUser.xml file includes instructions for USMT to migrate user files based on file name extensions. You can use the MigUser.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions. The MigUser.xml file will gather all files from the standard user-profile folders, as well as any files on the computer with the specified file name extensions.
-
-The default MigUser.xml file migrates the following:
-
-- All files from the standard user-profile folders which are described as:
-
- - CSIDL\_MYVIDEO
-
- - CSIDL\_MYMUSIC
-
- - CSIDL\_DESKTOP
-
- - CSIDL\_STARTMENU
-
- - CSIDL\_PERSONAL
-
- - CSIDL\_MYPICTURES
-
- - CSIDL\_FAVORITES
-
- - CSIDL\_QUICK LAUNCH
-
-- Files with the following extensions:
-
- .qdf, .qsd, .qel, .qph, .doc\*, .dot\*, .rtf, .mcw, .wps, .scd, .wri, .wpd, .xl\*, .csv, .iqy, .dqy, .oqy, .rqy, .wk\*, .wq1, .slk, .dif, .ppt\*, .pps\*, .pot\*, .sh3, .ch3, .pre, .ppa, .txt, .pst, .one\*, .vl\*, .vsd, .mpp, .or6, .accdb, .mdb, .pub
-
-The default MigUser.xml file does not migrate the following:
-
-- Files tagged with both the **hidden** and **system** attributes.
-
-- Files and folders on removable drives,
-
-- Data from the %WINDIR%, %PROGRAMFILES%, %PROGRAMDATA% folders.
-
-- ACLS for files in folders outside the user profile.
-
-You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer.
-
-**Note**
-Each file name extension you include in the rules within the MigUser.xml file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than three hundred file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#bkmk-multiple) section of this document.
-
-
-
-## Using multiple XML files
-
-
-You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with additional migration rules.
-
-
-
-
-
-
-
-
-
XML migration file
-
Modifies the following components:
-
-
-
-
-
Config.xml file
-
Operating-system components such as desktop wallpaper and background theme.
-
You can also overload config.xml to include some application and document settings by generating the config.xml file with the other default XML files. For more information, see Customize USMT XML Files and Config.xml File.
-
-
-
MigApps.xml file
-
Applications settings.
-
-
-
MigUser.xml or MigDocs.xml files
-
User files and profile settings.
-
-
-
Custom XML files
-
Application settings, user profile settings, or user files, beyond the rules contained in the other XML files.
-
-
-
-
-
-
-For example, you can use all of the XML migration file types for a single migration, as in the following example:
-
-``` syntax
-Scanstate /config:c:\myFolder\config.xml /i:migapps.xml /i:migdocs.xml /i:customrules.xml
-```
-
-### XML rules for migrating user files
-
-**Important**
-You should not use the MigUser.xml and MigDocs.xml files together in the same command. Using both XML files can result in duplication of some migrated files. This occurs when conflicting target-location instructions are given in each XML file. The target file will be stored once during the migration, but will be applied by each XML file to a different location on the destination computer.
-
-
-
-If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location. The MigUser.xml file migrates only the files with the specified file name extensions.
-
-If you want more control over the migration, you can create custom XML files. See the [Creating and editing a custom ,xml file](#bkmk-createxml) section of this document.
-
-## Creating and editing a custom XML file
-
-
-You can use the **/genmigxml** command-line option to determine which files will be included in your migration. The **/genmigxml** option creates a file in a location you specify, so that you can review the XML rules and make modifications as necessary.
-
-**Note**
-If you reinstall USMT, the default migration XML files will be overwritten and any customizations you make directly to these files will be lost. Consider creating separate XML files for your custom migration rules and saving them in a secure location.
-
-
-
-To generate the XML migration rules file for a source computer:
-
-1. Click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as**.
-
-2. Select an account with administrator privileges, supply a password, and then click **OK**.
-
-3. At the command prompt, type:
-
- ``` syntax
- cd /d
- scanstate.exe /genmigxml:
- ```
-
- Where *<USMTpath>* is the location on your source computer where you have saved the USMT files and tools, and *<filepath.xml>* is the full path to a file where you can save the report. For example, type:
-
- ``` syntax
- cd /d c:\USMT
- scanstate.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml"
- ```
-
-### The GenerateDocPatterns function
-
-The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes three Boolean values. You can change the settings to modify the way the MigDocs.xml file generates the XML rules for migration.
-
-
-
-
-
-
-
-
-
-
Setting
-
Value
-
Default Value
-
-
-
-
-
ScanProgramFiles
-
The ScanProgramFiles argument is valid only when the GenerateDocPatterns function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications.
-
For example, when set to TRUE, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The GenerateDocPatterns function generates this inclusion pattern for .doc files:
If a child folder of an included folder contains an installed application, ScanProgramFiles will also create an exclusion rule for the child folder. All folders under the application folder will be scanned recursively for registered file name extensions.
-
False
-
-
-
IncludePatterns
-
The IncludePatterns argument determines whether to generate exclude or include patterns in the XML. When this argument is set to TRUE, the GenerateDocPatterns function generates include patterns and the function must be added under the <include> element. Changing this argument to FALSE generates exclude patterns and the function must be added under the <exclude> element.
-
True
-
-
-
SystemDrive
-
The SystemDrive argument determines whether to generate patterns for all fixed drives or only for the system drive. Changing this argument to TRUE restricts all patterns to the system drive.
-
False
-
-
-
-
-
-
-**Usage:**
-
-``` syntax
-MigXmlHelper.GenerateDocPatterns ("", "", "")
-```
-
-To create include data patterns for only the system drive:
-
-``` syntax
-
-
-
-
-
-```
-
-To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory:
-
-``` syntax
-
-
-
-
-
-```
-
-To create exclude data patterns:
-
-``` syntax
-
-
-
-
-
-```
-
-### Understanding the system and user context
-
-The migration XML files contain two <component> elements with different **context** settings. The system context applies to files on the computer that are not stored in the User Profiles directory, while the user context applies to files that are particular to an individual user.
-
-**System context**
-
-The system context includes rules for data outside of the User Profiles directory. For example, when called in a system context in the MigDocs.xml file, the **GenerateDocPatterns** function creates patterns for all common shell folders, files in the root directory of hard drives, and folders located at the root of hard drives. The following folders are included:
-
-- CSIDL\_COMMON\_DESKTOPDIRECTORY
-
-- CSIDL\_COMMON\_FAVORITES
-
-- CSIDL\_COMMON\_DOCUMENTS
-
-- CSIDL\_COMMON\_MUSIC
-
-- CSIDL\_COMMON\_PICTURES
-
-- CSIDL\_COMMON\_VIDEO
-
-- FOLDERID\_PublicDownloads
-
-**User context**
-
-The user context includes rules for data in the User Profiles directory. When called in a user context in the MigDocs.xml file, the **GenerateDocPatterns** function creates patterns for all user shell folders, files located at the root of the profile, and folders located at the root of the profile. The following folders are included:
-
-- CSIDL\_MYDOCUMENTS
-
-- CSIDL\_MYPICTURES
-
-- FOLDERID\_OriginalImages
-
-- CSIDL\_MYMUSIC
-
-- CSIDL\_MYVIDEO
-
-- CSIDL\_FAVORITES
-
-- CSIDL\_DESKTOP
-
-- CSIDL\_QUICKLAUNCH
-
-- FOLDERID\_Contacts
-
-- FOLDERID\_Libraries
-
-- FOLDERID\_Downloads
-
-- FOLDERID\_SavedGames
-
-- FOLDERID\_RecordedTV
-
-**Note**
-Rules contained in a component that is assigned the user context will be run for each user profile on the computer. Files that are scanned multiple times by the MigDocs.xml files will only be copied to the migration store once; however, a large number of rules in the user context can slow down the migration. Use the system context when it is applicable.
-
-
-
-### Sample migration rules for customized versions of XML files
-
-**Note**
-For best practices and requirements for customized XML files in USMT, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [General Conventions](usmt-general-conventions.md).
-
-
-
-### Exclude rules usage examples
-
-In the examples below, the source computer has a .txt file called "new text document" in a directory called "new folder". The default MigDocs.xml behavior migrates the new text document.txt file and all files contained in the "new folder" directory. The rules generated by the function are:
-
-
-
-
-
-
-
-
-
Rule 1
-
<pattern type="File">d:\new folder[new text document.txt]</pattern>
-
-
-
Rule 2
-
<pattern type="File">d:\new folder[]</pattern>
-
-
-
-
-
-
-To exclude the new text document.txt file as well as any .txt files in “new folder”, you can do the following:
-
-**Example 1: Exclude all .txt files in a folder**
-
-To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension.
-
-``` syntax
-
-
- D:\Newfolder\[new text document.txt]
- D:\New folder\*[*.txt]
-
-
-```
-
-**Example 2: Use the UnconditionalExclude element to give a rule precedence over include rules**
-
-If you do not know the file name or location of the file, but you do know the file name extension, you can use the **GenerateDrivePatterns** function. However, the rule will be less specific than the default include rule generated by the MigDocs.xml file, so it will not have precedence. You must use the <UnconditionalExclude> element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-``` syntax
-
-
-
-
-
-```
-
-**Example 3 : Use a UserandSystem context component to run rules in both contexts**
-
-If you want the <UnconditionalExclude> element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts.
-
-``` syntax
-
- MigDocExcludes
-
-
-
-
-
-
-
-
-
-
-```
-
-For more examples of exclude rules that you can use in custom migration XML files, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md).
-
-### Include rules usage examples
-
-The application data directory is the most common location that you would need to add an include rule for. The **GenerateDocPatterns** function excludes this location by default. If your company uses an application that saves important data to this location, you can create include rules to migrate the data. For example, the default location for .pst files is: `%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook`. The Migapp.xml file contains migration rules to move only those .pst files that are linked to Microsoft Outlook. To include .pst files that are not linked, you can do the following:
-
-**Example 1: Include a file name extension in a known user folder**
-
-This rule will include .pst files that are located in the default location, but are not linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer.
-
-``` syntax
-
-
- %CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst]
-
-
-```
-
-**Example 2: Include a file name extension in Program Files**
-
-For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component.
-
-``` syntax
-
-
- %CSIDL_PROGRAM_FILES%\*[*.pst]
-
-
-```
-
-For more examples of include rules that you can use in custom migration XML files, see [Include Files and Settings](usmt-include-files-and-settings.md).
-
-**Note**
-For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-
-
-## Next steps
-
-
-You can include additional rules for the migration in the MigDocs.xml file or other XML migration files. For example, you can use the <locationModify> element to move files from the folder where they were gathered to a different folder, when they are applied to the destination computer.
-
-You can use an XML schema (MigXML.xsd) file to validate the syntax of your customized XML files. For more information, see [USMT Resources](usmt-resources.md).
-
-## Related topics
-
-
-[Exclude Files and Settings](usmt-exclude-files-and-settings.md)
-
-[Include Files and Settings](usmt-include-files-and-settings.md)
-
-
-
-
-
-
-
-
-
+---
+title: Understanding Migration XML Files (Windows 10)
+description: Understanding Migration XML Files
+ms.assetid: d3d1fe89-085c-4da8-9657-fd54b8bfc4b7
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Understanding Migration XML Files
+
+
+You can modify the behavior of a basic User State Migration Tool (USMT)10.0 migration by using XML files; these files provide instructions on where and how the USMT tools should gather and apply files and settings. USMT includes three XML files that you can use to customize a basic migration: the MigDocs.xml and MigUser.xml files, which modify how files are discovered on the source computer, and the MigApps.xml file, which is required in order to migrate supported application settings. You can also create and edit custom XML files and a Config.xml file to further customize your migration.
+
+This topic provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file. The MigDocs.xml file uses the new **GenerateDocPatterns** function available in USMT to automatically find user documents on a source computer.
+
+## In This Topic
+
+
+[Overview of the Config.xml file](#bkmk-config)
+
+[Overview of the MigApp.xml file](#bkmk-migapp)
+
+[Overview of the MigDocs.xml file](#bkmk-migdocs)
+
+[Overview of the MigUser.xml file](#bkmk-miguser)
+
+[Using multiple XML files](#bkmk-multiple)
+
+[XML rules for migrating user files](#bkmk-userfiles)
+
+[The GenerateDocPatterns function](#bkmk-generate)
+
+[Understanding the system and user context](#bkmk-context)
+
+[Sample migration rules for customized versions of XML files](#bkmk-samples)
+
+[Exclude rules usage examples](#bkmk-exclude)
+
+[Include rules usage examples](#bkmk-include)
+
+[Next Steps](#bkmk-next)
+
+## Overview of the Config.xml file
+
+
+The Config.xml file is the configuration file created by the `/genconfig` option of the ScanState tool; it can be used to modify which operating-system components are migrated by USMT. The Config.xml file can be used in conjunction with other XML files, such as in the following example: `scanstate /i:migapps.xml /i:migdocs.xml /genconfig:c:\myFolder\config.xml`. When used this way, the Config.xml file tightly controls aspects of the migration, including user profiles, data, and settings, without modifying or creating other XML files. For more information about the Config.xml file, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md).
+
+**Note**
+When modifying the XML elements in the Config.xml file, you should edit an element and set the **migrate** property to **no**, rather than deleting the element from the file. If you delete the element instead of setting the property, the component may still be migrated by rules in other XML files.
+
+
+
+## Overview of the MigApp.xml file
+
+
+The MigApp.xml file installed with USMT includes instructions to migrate the settings for the applications listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md). You must include the MigApp.xml file when using the ScanState and LoadState tools, by using the `/i` option in order to migrate application settings. The MigDocs.xml and MigUser.xml files do not migrate application settings. You can create a custom XML file to include additional applications. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md).
+
+**Important**
+The MigApps.xml file will only detect and migrate .pst files that are linked to Microsoft Office Outlook. See the [Sample migration rules for customized versions of XML files](#bkmk-samples) section of this document for more information about migrating .pst files that are not linked to Outlook.
+
+
+
+## Overview of the MigDocs.xml file
+
+
+The MigDocs.xml file uses the new **GenerateDocPatterns** helper function to create instructions for USMT to migrate files from the source computer, based on the location of the files. You can use the MigDocs.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions.
+
+The default MigDocs.xml file migrates the following:
+
+- All files on the root of the drive except %WINDIR%, %PROGRAMFILES%, %PROGRAMDATA%, or %USERS%.
+
+- All folders in the root directory of all fixed drives. For example: c:\\data\_mail\\\*\[\*\]
+
+- All files from the root of the Profiles folder, except for files in the system profile. For example: c:\\users\\name\[mail.pst\]
+
+- All folders from the root of the Profiles folder, except for the system-profile folders. For example: c:\\users\\name\\new folder\\\*\[\*\]
+
+- Standard shared folders:
+
+ - CSIDL\_COMMON\_DESKTOPDIRECTORY
+
+ - CSIDL\_COMMON\_FAVORITES
+
+ - CSIDL\_COMMON\_DOCUMENTS
+
+ - CSIDL\_COMMON\_MUSIC
+
+ - CSIDL\_COMMON\_PICTURES
+
+ - CSIDL\_COMMON\_VIDEO
+
+ - FOLDERID\_PublicDownloads
+
+- Standard user-profile folders for each user:
+
+ - CSIDL\_MYDOCUMENTS
+
+ - CSIDL\_MYPICTURES
+
+ - FOLDERID\_OriginalImages
+
+ - CSIDL\_MYMUSIC
+
+ - CSIDL\_MYVIDEO
+
+ - CSIDL\_FAVORITES
+
+ - CSIDL\_DESKTOP
+
+ - CSIDL\_QUICKLAUNCH
+
+ - FOLDERID\_Contacts
+
+ - FOLDERID\_Libraries
+
+ - FOLDERID\_Downloads
+
+ - FOLDERID\_SavedGames
+
+ - FOLDERID\_RecordedTV
+
+The default MigDocs.xml file will not migrate the following:
+
+- Files tagged with both the **hidden** and **system** attributes.
+
+- Files and folders on removable drives.
+
+- Data from the %WINDIR%, %PROGRAMDATA%, and %PROGRAMFILES% folders.
+
+- Folders that contain installed applications.
+
+You can also use the **/genmigxml** option with the ScanState tool to review and modify what files will be migrated.
+
+## Overview of the MigUser.xml file
+
+
+The MigUser.xml file includes instructions for USMT to migrate user files based on file name extensions. You can use the MigUser.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions. The MigUser.xml file will gather all files from the standard user-profile folders, as well as any files on the computer with the specified file name extensions.
+
+The default MigUser.xml file migrates the following:
+
+- All files from the standard user-profile folders which are described as:
+
+ - CSIDL\_MYVIDEO
+
+ - CSIDL\_MYMUSIC
+
+ - CSIDL\_DESKTOP
+
+ - CSIDL\_STARTMENU
+
+ - CSIDL\_PERSONAL
+
+ - CSIDL\_MYPICTURES
+
+ - CSIDL\_FAVORITES
+
+ - CSIDL\_QUICK LAUNCH
+
+- Files with the following extensions:
+
+ .qdf, .qsd, .qel, .qph, .doc\*, .dot\*, .rtf, .mcw, .wps, .scd, .wri, .wpd, .xl\*, .csv, .iqy, .dqy, .oqy, .rqy, .wk\*, .wq1, .slk, .dif, .ppt\*, .pps\*, .pot\*, .sh3, .ch3, .pre, .ppa, .txt, .pst, .one\*, .vl\*, .vsd, .mpp, .or6, .accdb, .mdb, .pub
+
+The default MigUser.xml file does not migrate the following:
+
+- Files tagged with both the **hidden** and **system** attributes.
+
+- Files and folders on removable drives,
+
+- Data from the %WINDIR%, %PROGRAMFILES%, %PROGRAMDATA% folders.
+
+- ACLS for files in folders outside the user profile.
+
+You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer.
+
+**Note**
+Each file name extension you include in the rules within the MigUser.xml file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than three hundred file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#bkmk-multiple) section of this document.
+
+
+
+## Using multiple XML files
+
+
+You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with additional migration rules.
+
+
+
+
+
+
+
+
+
XML migration file
+
Modifies the following components:
+
+
+
+
+
Config.xml file
+
Operating-system components such as desktop wallpaper and background theme.
+
You can also overload config.xml to include some application and document settings by generating the config.xml file with the other default XML files. For more information, see Customize USMT XML Files and Config.xml File.
+
+
+
MigApps.xml file
+
Applications settings.
+
+
+
MigUser.xml or MigDocs.xml files
+
User files and profile settings.
+
+
+
Custom XML files
+
Application settings, user profile settings, or user files, beyond the rules contained in the other XML files.
+
+
+
+
+
+
+For example, you can use all of the XML migration file types for a single migration, as in the following example:
+
+```
+Scanstate /config:c:\myFolder\config.xml /i:migapps.xml /i:migdocs.xml /i:customrules.xml
+```
+
+### XML rules for migrating user files
+
+**Important**
+You should not use the MigUser.xml and MigDocs.xml files together in the same command. Using both XML files can result in duplication of some migrated files. This occurs when conflicting target-location instructions are given in each XML file. The target file will be stored once during the migration, but will be applied by each XML file to a different location on the destination computer.
+
+
+
+If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location. The MigUser.xml file migrates only the files with the specified file name extensions.
+
+If you want more control over the migration, you can create custom XML files. See the [Creating and editing a custom ,xml file](#bkmk-createxml) section of this document.
+
+## Creating and editing a custom XML file
+
+
+You can use the **/genmigxml** command-line option to determine which files will be included in your migration. The **/genmigxml** option creates a file in a location you specify, so that you can review the XML rules and make modifications as necessary.
+
+**Note**
+If you reinstall USMT, the default migration XML files will be overwritten and any customizations you make directly to these files will be lost. Consider creating separate XML files for your custom migration rules and saving them in a secure location.
+
+
+
+To generate the XML migration rules file for a source computer:
+
+1. Click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as**.
+
+2. Select an account with administrator privileges, supply a password, and then click **OK**.
+
+3. At the command prompt, type:
+
+ ```
+ cd /d
+ scanstate.exe /genmigxml:
+ ```
+
+ Where *<USMTpath>* is the location on your source computer where you have saved the USMT files and tools, and *<filepath.xml>* is the full path to a file where you can save the report. For example, type:
+
+ ```
+ cd /d c:\USMT
+ scanstate.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml"
+ ```
+
+### The GenerateDocPatterns function
+
+The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes three Boolean values. You can change the settings to modify the way the MigDocs.xml file generates the XML rules for migration.
+
+
+
+
+
+
+
+
+
+
Setting
+
Value
+
Default Value
+
+
+
+
+
ScanProgramFiles
+
The ScanProgramFiles argument is valid only when the GenerateDocPatterns function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications.
+
For example, when set to TRUE, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The GenerateDocPatterns function generates this inclusion pattern for .doc files:
If a child folder of an included folder contains an installed application, ScanProgramFiles will also create an exclusion rule for the child folder. All folders under the application folder will be scanned recursively for registered file name extensions.
+
False
+
+
+
IncludePatterns
+
The IncludePatterns argument determines whether to generate exclude or include patterns in the XML. When this argument is set to TRUE, the GenerateDocPatterns function generates include patterns and the function must be added under the <include> element. Changing this argument to FALSE generates exclude patterns and the function must be added under the <exclude> element.
+
True
+
+
+
SystemDrive
+
The SystemDrive argument determines whether to generate patterns for all fixed drives or only for the system drive. Changing this argument to TRUE restricts all patterns to the system drive.
+
False
+
+
+
+
+
+
+**Usage:**
+
+```
+MigXmlHelper.GenerateDocPatterns ("", "", "")
+```
+
+To create include data patterns for only the system drive:
+
+``` xml
+
+
+
+
+
+```
+
+To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory:
+
+``` xml
+
+
+
+
+
+```
+
+To create exclude data patterns:
+
+``` xml
+
+
+
+
+
+```
+
+### Understanding the system and user context
+
+The migration XML files contain two <component> elements with different **context** settings. The system context applies to files on the computer that are not stored in the User Profiles directory, while the user context applies to files that are particular to an individual user.
+
+**System context**
+
+The system context includes rules for data outside of the User Profiles directory. For example, when called in a system context in the MigDocs.xml file, the **GenerateDocPatterns** function creates patterns for all common shell folders, files in the root directory of hard drives, and folders located at the root of hard drives. The following folders are included:
+
+- CSIDL\_COMMON\_DESKTOPDIRECTORY
+
+- CSIDL\_COMMON\_FAVORITES
+
+- CSIDL\_COMMON\_DOCUMENTS
+
+- CSIDL\_COMMON\_MUSIC
+
+- CSIDL\_COMMON\_PICTURES
+
+- CSIDL\_COMMON\_VIDEO
+
+- FOLDERID\_PublicDownloads
+
+**User context**
+
+The user context includes rules for data in the User Profiles directory. When called in a user context in the MigDocs.xml file, the **GenerateDocPatterns** function creates patterns for all user shell folders, files located at the root of the profile, and folders located at the root of the profile. The following folders are included:
+
+- CSIDL\_MYDOCUMENTS
+
+- CSIDL\_MYPICTURES
+
+- FOLDERID\_OriginalImages
+
+- CSIDL\_MYMUSIC
+
+- CSIDL\_MYVIDEO
+
+- CSIDL\_FAVORITES
+
+- CSIDL\_DESKTOP
+
+- CSIDL\_QUICKLAUNCH
+
+- FOLDERID\_Contacts
+
+- FOLDERID\_Libraries
+
+- FOLDERID\_Downloads
+
+- FOLDERID\_SavedGames
+
+- FOLDERID\_RecordedTV
+
+**Note**
+Rules contained in a component that is assigned the user context will be run for each user profile on the computer. Files that are scanned multiple times by the MigDocs.xml files will only be copied to the migration store once; however, a large number of rules in the user context can slow down the migration. Use the system context when it is applicable.
+
+
+
+### Sample migration rules for customized versions of XML files
+
+**Note**
+For best practices and requirements for customized XML files in USMT, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [General Conventions](usmt-general-conventions.md).
+
+
+
+### Exclude rules usage examples
+
+In the examples below, the source computer has a .txt file called "new text document" in a directory called "new folder". The default MigDocs.xml behavior migrates the new text document.txt file and all files contained in the "new folder" directory. The rules generated by the function are:
+
+
+
+
+
+
+
+
+
Rule 1
+
<pattern type="File">d:\new folder[new text document.txt]</pattern>
+
+
+
Rule 2
+
<pattern type="File">d:\new folder[]</pattern>
+
+
+
+
+
+
+To exclude the new text document.txt file as well as any .txt files in “new folder”, you can do the following:
+
+**Example 1: Exclude all .txt files in a folder**
+
+To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension.
+
+``` xml
+
+
+ D:\Newfolder\[new text document.txt]
+ D:\New folder\*[*.txt]
+
+
+```
+
+**Example 2: Use the UnconditionalExclude element to give a rule precedence over include rules**
+
+If you do not know the file name or location of the file, but you do know the file name extension, you can use the **GenerateDrivePatterns** function. However, the rule will be less specific than the default include rule generated by the MigDocs.xml file, so it will not have precedence. You must use the <UnconditionalExclude> element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+``` xml
+
+
+
+
+
+```
+
+**Example 3 : Use a UserandSystem context component to run rules in both contexts**
+
+If you want the <UnconditionalExclude> element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts.
+
+``` xml
+
+ MigDocExcludes
+
+
+
+
+
+
+
+
+
+
+```
+
+For more examples of exclude rules that you can use in custom migration XML files, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md).
+
+### Include rules usage examples
+
+The application data directory is the most common location that you would need to add an include rule for. The **GenerateDocPatterns** function excludes this location by default. If your company uses an application that saves important data to this location, you can create include rules to migrate the data. For example, the default location for .pst files is: `%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook`. The Migapp.xml file contains migration rules to move only those .pst files that are linked to Microsoft Outlook. To include .pst files that are not linked, you can do the following:
+
+**Example 1: Include a file name extension in a known user folder**
+
+This rule will include .pst files that are located in the default location, but are not linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer.
+
+``` xml
+
+
+ %CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst]
+
+
+```
+
+**Example 2: Include a file name extension in Program Files**
+
+For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component.
+
+``` xml
+
+
+ %CSIDL_PROGRAM_FILES%\*[*.pst]
+
+
+```
+
+For more examples of include rules that you can use in custom migration XML files, see [Include Files and Settings](usmt-include-files-and-settings.md).
+
+**Note**
+For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+
+
+## Next steps
+
+
+You can include additional rules for the migration in the MigDocs.xml file or other XML migration files. For example, you can use the <locationModify> element to move files from the folder where they were gathered to a different folder, when they are applied to the destination computer.
+
+You can use an XML schema (MigXML.xsd) file to validate the syntax of your customized XML files. For more information, see [USMT Resources](usmt-resources.md).
+
+## Related topics
+
+
+[Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+
+[Include Files and Settings](usmt-include-files-and-settings.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index 3e694996e9..48782e0bdc 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -1,158 +1,159 @@
----
-title: USMT Best Practices (Windows 10)
-description: USMT Best Practices
-ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# USMT Best Practices
-
-
-This topic discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0.
-
-## General Best Practices
-
-
-- **Install applications before running the LoadState tool**
-
- Though it is not always essential, it is best practice to install all applications on the destination computer before restoring the user state. This helps ensure that migrated settings are preserved.
-
-- **Do not use MigUser.xml and MigDocs.xml together**
-
- If you use both .xml files, some migrated files may be duplicated if conflicting instructions are given about target locations. You can use the **/genmigxml** command-line option to determine which files will be included in your migration, and to determine if any modifications are necessary. For more information, see [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md).
-
-- **Use MigDocs.xml for a better migration experience**
-
- If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml file is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location, and on registered file type by querying the registry for registered application extensions. The MigUser.xml file migrates only the files with the specified file extensions.
-
-- **Close all applications before running either the ScanState or LoadState tools**
-
- Although using the **/vsc** switch can allow the migration of many files that are open with another application it is a best practice to close all applications in order to ensure all files and settings migrate. Without the **/vsc** or **/c** switch USMT will fail when it cannot migrate a file or setting. When you use the **/c** option USMT will ignore any files or settings that it cannot migrate and log an error each time.
-
-- **Log off after you run the LoadState**
-
- Some settings, such as fonts, wallpaper, and screensaver settings, will not take effect until the next time the user logs on. For this reason, you should log off after you run the LoadState tool.
-
-- **Managed environment**
-
- To create a managed environment, you can move all of the end user’s documents into My Documents (%CSIDL\_PERSONAL%). We recommend that you migrate files into the smallest-possible number of folders on the destination computer. This will help you to clean up files on the destination computer, if the LoadState command fails before completion.
-
-- **Chkdsk.exe**
-
- We recommend that you run Chkdsk.exe before running the ScanState and LoadState tools. Chkdsk.exe creates a status report for a hard disk drive and lists and corrects common errors. For more information about the Chkdsk.exe tool, see [Chkdsk](https://go.microsoft.com/fwlink/p/?LinkId=140244).
-
-- **Migrate in groups**
-
- If you decide to perform the migration while users are using the network, it is best to migrate user accounts in groups. To minimize the impact on network performance, determine the size of the groups based on the size of each user account. Migrating in phases also allows you to make sure each phase is successful before starting the next phase. Using this method, you can make any necessary modifications to your plan between groups.
-
-## Security Best Practices
-
-
-As the authorized administrator, it is your responsibility to protect the privacy of the users and maintain security during and after the migration. In particular, you must consider the following issues:
-
-- **Encrypting File System (EFS)**
-
- Take extreme caution when migrating encrypted files, because the end user does not need to be logged on to capture the user state. By default, USMT fails if an encrypted file is found. For more information about EFS best practices, see this article in the [Microsoft Knowledge Base](https://go.microsoft.com/fwlink/p/?linkid=163). For specific instructions about EFS best practices, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
-
- **Important**
- If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
-
-
-
-- **Encrypt the store**
-
- Consider using the **/encrypt** option with the ScanState command and the **/decrypt** option with the LoadState command. However, use extreme caution with this set of options, because anyone who has access to the ScanState command-line script also has access to the encryption key.
-
-- **Virus Scan**
-
- We recommend that you scan both the source and destination computers for viruses before running USMT. In addition, you should scan the destination computer image. To help protect data from viruses, we strongly recommend running an antivirus utility before migration.
-
-- **Maintain security of the file server and the deployment server**
-
- We recommend that you manage the security of the file and deployment servers. It is important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files is not exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://go.microsoft.com/fwlink/p/?LinkId=215657).
-
-- **Password Migration**
-
- To ensure the privacy of the end users, USMT does not migrate passwords, including those for applications such as Windows Live™ Mail, Microsoft Internet Explorer®, as well as Remote Access Service (RAS) connections and mapped network drives. It is important to make sure that end users know their passwords.
-
-- **Local Account Creation**
-
- Before you migrate local accounts, see the Migrating Local Accounts section in the [Identify Users](usmt-identify-users.md) topic.
-
-## XML File Best Practices
-
-
-- **Specify the same set of mig\*.xml files in both the ScanState and the LoadState tools**
-
- If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool.
-
-- **The <CustomFileName> in the migration urlid should match the name of the file**
-
- Although it is not a requirement, it is good practice for <CustomFileName> to match the name of the file. For example, the following is from the MigApp.xml file:
-
- ``` syntax
-
-
- ```
-
-- **Use the XML Schema (MigXML.xsd) when authoring .xml files to validate syntax**
-
- The MigXML.xsd schema file should not be included on the command line or in any of the .xml files.
-
-- **Use the default migration XML files as models**
-
- To create a custom .xml file, you can use the migration .xml files as models to create your own. If you need to migrate user data files, model your custom .xml file on MigUser.xml. To migrate application settings, model your custom .xml file on the MigApp.xml file.
-
-- **Consider the impact on performance when using the <context> parameter**
-
- Your migration performance can be affected when you use the <context> element with the <component> element; for example, as in when you want to encapsulate logical units of file- or path-based <include> and <exclude> rules.
-
- In the **User** context, a rule is processed one time for each user on the system.
-
- In the **System** context, a rule is processed one time for the system.
-
- In the **UserAndSystem** context, a rule is processed one time for each user on the system and one time for the system.
-
- **Note**
- The number of times a rule is processed does not affect the number of times a file is migrated. The USMT migration engine ensures that each file migrates only once.
-
-
-
-- **We recommend that you create a separate .xml file instead of adding your .xml code to one of the existing migration .xml files**
-
- For example, if you have code that migrates the settings for an application, you should not just add the code to the MigApp.xml file.
-
-- **You should not create custom .xml files to alter the operating system settings that are migrated**
-
- These settings are migrated by manifests and you cannot modify those files. If you want to exclude certain operating system settings from the migration, you should create and modify a Config.xml file.
-
-- **You can use the asterisk (\*) wildcard character in any migration XML file that you create**
-
- **Note**
- The question mark is not valid as a wildcard character in USMT .xml files.
-
-
-
-## Related topics
-
-
-[Migration Store Encryption](usmt-migration-store-encryption.md)
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-
-
-
-
-
-
-
-
+---
+title: USMT Best Practices (Windows 10)
+description: USMT Best Practices
+ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# USMT Best Practices
+
+
+This topic discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0.
+
+## General Best Practices
+
+
+- **Install applications before running the LoadState tool**
+
+ Though it is not always essential, it is best practice to install all applications on the destination computer before restoring the user state. This helps ensure that migrated settings are preserved.
+
+- **Do not use MigUser.xml and MigDocs.xml together**
+
+ If you use both .xml files, some migrated files may be duplicated if conflicting instructions are given about target locations. You can use the **/genmigxml** command-line option to determine which files will be included in your migration, and to determine if any modifications are necessary. For more information, see [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md).
+
+- **Use MigDocs.xml for a better migration experience**
+
+ If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml file is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location, and on registered file type by querying the registry for registered application extensions. The MigUser.xml file migrates only the files with the specified file extensions.
+
+- **Close all applications before running either the ScanState or LoadState tools**
+
+ Although using the **/vsc** switch can allow the migration of many files that are open with another application it is a best practice to close all applications in order to ensure all files and settings migrate. Without the **/vsc** or **/c** switch USMT will fail when it cannot migrate a file or setting. When you use the **/c** option USMT will ignore any files or settings that it cannot migrate and log an error each time.
+
+- **Log off after you run the LoadState**
+
+ Some settings, such as fonts, wallpaper, and screensaver settings, will not take effect until the next time the user logs on. For this reason, you should log off after you run the LoadState tool.
+
+- **Managed environment**
+
+ To create a managed environment, you can move all of the end user’s documents into My Documents (%CSIDL\_PERSONAL%). We recommend that you migrate files into the smallest-possible number of folders on the destination computer. This will help you to clean up files on the destination computer, if the LoadState command fails before completion.
+
+- **Chkdsk.exe**
+
+ We recommend that you run Chkdsk.exe before running the ScanState and LoadState tools. Chkdsk.exe creates a status report for a hard disk drive and lists and corrects common errors. For more information about the Chkdsk.exe tool, see [Chkdsk](https://go.microsoft.com/fwlink/p/?LinkId=140244).
+
+- **Migrate in groups**
+
+ If you decide to perform the migration while users are using the network, it is best to migrate user accounts in groups. To minimize the impact on network performance, determine the size of the groups based on the size of each user account. Migrating in phases also allows you to make sure each phase is successful before starting the next phase. Using this method, you can make any necessary modifications to your plan between groups.
+
+## Security Best Practices
+
+
+As the authorized administrator, it is your responsibility to protect the privacy of the users and maintain security during and after the migration. In particular, you must consider the following issues:
+
+- **Encrypting File System (EFS)**
+
+ Take extreme caution when migrating encrypted files, because the end user does not need to be logged on to capture the user state. By default, USMT fails if an encrypted file is found. For more information about EFS best practices, see this article in the [Microsoft Knowledge Base](https://go.microsoft.com/fwlink/p/?linkid=163). For specific instructions about EFS best practices, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
+
+ **Important**
+ If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
+
+
+
+- **Encrypt the store**
+
+ Consider using the **/encrypt** option with the ScanState command and the **/decrypt** option with the LoadState command. However, use extreme caution with this set of options, because anyone who has access to the ScanState command-line script also has access to the encryption key.
+
+- **Virus Scan**
+
+ We recommend that you scan both the source and destination computers for viruses before running USMT. In addition, you should scan the destination computer image. To help protect data from viruses, we strongly recommend running an antivirus utility before migration.
+
+- **Maintain security of the file server and the deployment server**
+
+ We recommend that you manage the security of the file and deployment servers. It is important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files is not exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://go.microsoft.com/fwlink/p/?LinkId=215657).
+
+- **Password Migration**
+
+ To ensure the privacy of the end users, USMT does not migrate passwords, including those for applications such as Windows Live™ Mail, Microsoft Internet Explorer®, as well as Remote Access Service (RAS) connections and mapped network drives. It is important to make sure that end users know their passwords.
+
+- **Local Account Creation**
+
+ Before you migrate local accounts, see the Migrating Local Accounts section in the [Identify Users](usmt-identify-users.md) topic.
+
+## XML File Best Practices
+
+
+- **Specify the same set of mig\*.xml files in both the ScanState and the LoadState tools**
+
+ If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool.
+
+- **The <CustomFileName> in the migration urlid should match the name of the file**
+
+ Although it is not a requirement, it is good practice for <CustomFileName> to match the name of the file. For example, the following is from the MigApp.xml file:
+
+ ``` xml
+
+
+ ```
+
+- **Use the XML Schema (MigXML.xsd) when authoring .xml files to validate syntax**
+
+ The MigXML.xsd schema file should not be included on the command line or in any of the .xml files.
+
+- **Use the default migration XML files as models**
+
+ To create a custom .xml file, you can use the migration .xml files as models to create your own. If you need to migrate user data files, model your custom .xml file on MigUser.xml. To migrate application settings, model your custom .xml file on the MigApp.xml file.
+
+- **Consider the impact on performance when using the <context> parameter**
+
+ Your migration performance can be affected when you use the <context> element with the <component> element; for example, as in when you want to encapsulate logical units of file- or path-based <include> and <exclude> rules.
+
+ In the **User** context, a rule is processed one time for each user on the system.
+
+ In the **System** context, a rule is processed one time for the system.
+
+ In the **UserAndSystem** context, a rule is processed one time for each user on the system and one time for the system.
+
+ **Note**
+ The number of times a rule is processed does not affect the number of times a file is migrated. The USMT migration engine ensures that each file migrates only once.
+
+
+
+- **We recommend that you create a separate .xml file instead of adding your .xml code to one of the existing migration .xml files**
+
+ For example, if you have code that migrates the settings for an application, you should not just add the code to the MigApp.xml file.
+
+- **You should not create custom .xml files to alter the operating system settings that are migrated**
+
+ These settings are migrated by manifests and you cannot modify those files. If you want to exclude certain operating system settings from the migration, you should create and modify a Config.xml file.
+
+- **You can use the asterisk (\*) wildcard character in any migration XML file that you create**
+
+ **Note**
+ The question mark is not valid as a wildcard character in USMT .xml files.
+
+
+
+## Related topics
+
+
+[Migration Store Encryption](usmt-migration-store-encryption.md)
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index bdb613b683..db0aad8633 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -1,589 +1,590 @@
----
-title: Config.xml File (Windows 10)
-description: Config.xml File
-ms.assetid: 9dc98e76-5155-4641-bcb3-81915db538e8
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Config.xml File
-
-
-## Config.xml File
-
-
-The Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the **/genconfig** option with the ScanState.exe tool. If you want to include all of the default components, and do not want to change the default store-creation or profile-migration behavior, you do not need to create a Config.xml file.
-
-However, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigUser.xml and MigDocs.xml files, but you want to exclude certain components, you can create and modify a Config.xml file and leave the other .xml files unchanged. For example, you must create and modify the Config.xml file if you want to exclude any of the operating-system settings that are migrated. It is necessary to create and modify this file if you want to change any of the default store-creation or profile-migration behavior.
-
-The Config.xml file has a different format than the other migration .xml files, because it does not contain any migration rules. It contains only a list of the operating-system components, applications, user documents that can be migrated, as well as user-profile policy and error-control policy. For this reason, excluding components using the Config.xml file is easier than modifying the migration .xml files, because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in this file.
-
-For more information about using the Config.xml file with other migration files, such as the MigDocs.xml and MigApps.xml files, see [Understanding Migration XML Files](understanding-migration-xml-files.md).
-
-**Note**
-To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
-
-
-
-## In This Topic
-
-
-In USMT there are new migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. The following elements and parameters are for use in the Config.xml file only.
-
-[<Policies>](#bkmk-policies)
-
-[<ErrorControl>](#bkmk-errorcontrol)
-
-[<fatal>](#bkmk-fatal)
-
-[<fileError>](#bkmk-fileerror)
-
-[<nonfatal>](#bkmk-nonfatal)
-
-[<registryError>](#bkmk-registryerror)
-
-[<HardLinkStoreControl>](#bkmk-hardlinkstorecontrol)
-
-[<fileLocked>](#bkmk-filelock)
-
-[<createHardLink>](#bkmk-createhardlink)
-
-[<errorHardLink>](#bkmk-errorhardlink)
-
-[<ProfileControl>](#bkmk-profilecontrol)
-
-[<localGroups>](#bkmk-localgroups)
-
-[<mappings>](#bkmk-mappings)
-
-[<changeGroup>](#bkmk-changegrou)
-
-[<include>](#bkmk-include)
-
-[<exclude>](#bkmk-exclude)
-
-[Sample Config.xml File](#bkmk-sampleconfigxjmlfile)
-
-## <Policies>
-
-
-The **<Policies>** element contains elements that describe the policies that USMT follows while creating a migration store. Valid children of the **<Policies>** element are **<ErrorControl>** and **<HardLinkStoreControl>**. The **<Policies>** element is a child of **<Configuration>**.
-
-Syntax: ``
-
-## <ErrorControl>
-
-
-The **<ErrorControl>** element is an optional element you can configure in the Config.xml file. The configurable **<ErrorControl>** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character.
-
-- **Number of occurrences**: Once for each component
-
-- **Parent elements**: The **<Policies>** element
-
-- **Child elements**: The **<fileError>** and **<registryError>** element
-
-Syntax: ``
-
-The following example specifies that all locked files, regardless of their location (including files in C:\\Users), should be ignored. However, the migration fails if any file in C:\\Users cannot be accessed because of any other reason. In the example below, the **<ErrorControl>** element ignores any problems in migrating registry keys that match the supplied pattern, and it resolves them to an **Access denied** error.
-
-Additionally, the order in the **<ErrorControl>** section implies priority. In this example, the first **<nonFatal>** tag takes precedence over the second **<fatal>** tag. This precedence is applied, regardless of how many tags are listed.
-
-``` syntax
-
-
- * [*]
- C:\Users\* [*]
-
-
- HKCU\SOFTWARE\Microsoft\* [*]
-
-
-```
-
-**Important**
-The configurable **<ErrorControl>** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character.
-
-
-
-### <fatal>
-
-The **<fatal>** element is not required.
-
-- **Number of occurrences**: Once for each component
-
-- **Parent elements**: **<fileError>** and **<registryError>**
-
-- **Child elements**: None.
-
-Syntax: ``*<pattern>*``
-
-
-
-
-
-
-
-
-
-
Parameter
-
Required
-
Value
-
-
-
-
-
errorCode
-
No
-
"any" or "specify system error message here"
-
-
-
-
-
-
-You use the **<fatal>** element to specify that errors matching a specific pattern should cause USMT to halt the migration.
-
-## <fileError>
-
-
-The **<fileError>** element is not required.
-
-- **Number of occurrences**: Once for each component
-
-- **Parent elements**: **<ErrorControl>**
-
-- **Child elements**: **<nonFatal>** and **<fatal>**
-
-Syntax: ``
-
-You use the **<fileError>** element to represent the behavior associated with file errors.
-
-## <nonFatal>
-
-
-The **<nonFatal>** element is not required.
-
-- **Number of occurrences**: Once for each component
-
-- **Parent elements**: The **<fileError>** and **<registryError>** elements.
-
-- **Child elements**: None.
-
-Syntax: ``*<pattern>*``
-
-
-
-
-
-
-
-
-
-
Parameter
-
Required
-
Value
-
-
-
-
-
<errorCode>
-
No
-
"any" or "specify system error message here". If system error messages are not specified, the default behavior applies the parameter to all system error messages.
-
-
-
-
-
-
-You use the **<nonFatal>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
-
-## <registryError>
-
-
-The <registryError>element is not required.
-
-- **Number of occurrences**: Once for each component
-
-- **Parent elements**: **<ErrorControl>**
-
-- **Child elements**: **<nonfatal>** and **<fatal>**
-
-Syntax: ``
-
-
-
-
-
-
-
-
-
-
Parameter
-
Required
-
Value
-
-
-
-
-
<errorCode>
-
No
-
"any" or "specify system error message here". If system error messages are not specified, the default behavior applies the parameter to all system error messages.
-
-
-
-
-
-
-You use the **<registryError>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
-
-## <HardLinkStoreControl>
-
-
-The **<HardLinkStoreControl>** element contains elements that describe how to handle files during the creation of a hard-link migration store. Its only valid child is **<fileLocked>**.
-
-Syntax: ``
-
-- **Number of occurrences**: Once for each component
-
-- **Parent elements**: **<Policies>**
-
-- **Child elements**: **<fileLocked>**
-
-Syntax: ``
-
-The **<HardLinkStoreControl>** sample code below specifies that hard links can be created to locked files only if the locked file resides somewhere under C:\\Users\\. Otherwise, a file-access error occurs when a locked file is encountered that cannot be copied, even though is technically possible for the link to be created.
-
-**Important**
-The **<ErrorControl>** section can be configured to conditionally ignore file access errors, based on the file’s location.
-
-
-
-``` syntax
-
-
-
- C:\Users\*
- C:\*
-
-
-
- […]
-
-
-```
-
-## <fileLocked>
-
-
-The **<fileLocked>** element contains elements that describe how to handle files that are locked for editing. The rules defined by the **<fileLocked>** element are processed in the order in which they appear in the XML file.
-
-Syntax: ``
-
-## <createHardLink>
-
-
-The **<createHardLink>** element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application.
-
-Syntax: ``*<pattern>*``
-
-## <errorHardLink>
-
-
-The **<errorHardLink>** element defines a standard MigXML pattern that describes file paths where hard links should not be created if the file is locked for editing by another application. USMT will attempt to copy files under these paths into the migration store. However, if that is not possible, **Error\_Locked** is thrown. This is a standard Windows application programming interface (API) error that can be captured by the **<ErrorControl>** section to either cause USMT to skip the file or abort the migration.
-
-Syntax: ``*<pattern>*``
-
-## <ProfileControl>
-
-
-This element is used to contain other elements that establish rules for migrating profiles, users, and policies around local group membership during the migration. **<ProfileMigration>** is a child of **<Configuration>**.
-
-Syntax: <`ProfileControl> `
-
-## <localGroups>
-
-
-This element is used to contain other elements that establish rules for how to migrate local groups. **<localGroups>** is a child of **<ProfileControl>**.
-
-Syntax: ``
-
-## <mappings>
-
-
-This element is used to contain other elements that establish mappings between groups.
-
-Syntax: ``
-
-## <changeGroup>
-
-
-This element describes the source and destination groups for a local group membership change during the migration. It is a child of **<localGroups>**. The following parameters are defined:
-
-
-
-
-
-
-
-
-
-
Parameter
-
Required
-
Value
-
-
-
-
-
From
-
Yes
-
A valid local group on the source machine that contains users selected for migration on the command line.
-
-
-
To
-
Yes
-
A local group that the users are to be moved to during the migration.
-
-
-
appliesTo
-
Yes
-
nonmigratedUsers, migratedUsers, AllUsers. This value defines which users the change group operation should apply to.
-
-
-
-
-
-
-The valid and required children of **<changeGroup>** are **<include>** and **<exclude>**. Although both can be children at the same time, only one is required.
-
-Syntax: ``
-
-## <include>
-
-
-This element specifies that its required child, *<pattern>*, should be included in the migration.
-
-Syntax: ````
-
-## <exclude>
-
-
-This element specifies that its required child, *<pattern>*, should be excluded from the migration.
-
-Syntax: ``` `
-
-## Sample Config.xml File
-
-
-Refer to the following sample Config.xml file for additional details about items you can choose to exclude from a migration.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Config.xml File (Windows 10)
+description: Config.xml File
+ms.assetid: 9dc98e76-5155-4641-bcb3-81915db538e8
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Config.xml File
+
+
+## Config.xml File
+
+
+The Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the **/genconfig** option with the ScanState.exe tool. If you want to include all of the default components, and do not want to change the default store-creation or profile-migration behavior, you do not need to create a Config.xml file.
+
+However, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigUser.xml and MigDocs.xml files, but you want to exclude certain components, you can create and modify a Config.xml file and leave the other .xml files unchanged. For example, you must create and modify the Config.xml file if you want to exclude any of the operating-system settings that are migrated. It is necessary to create and modify this file if you want to change any of the default store-creation or profile-migration behavior.
+
+The Config.xml file has a different format than the other migration .xml files, because it does not contain any migration rules. It contains only a list of the operating-system components, applications, user documents that can be migrated, as well as user-profile policy and error-control policy. For this reason, excluding components using the Config.xml file is easier than modifying the migration .xml files, because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in this file.
+
+For more information about using the Config.xml file with other migration files, such as the MigDocs.xml and MigApps.xml files, see [Understanding Migration XML Files](understanding-migration-xml-files.md).
+
+**Note**
+To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
+
+
+
+## In This Topic
+
+
+In USMT there are new migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. The following elements and parameters are for use in the Config.xml file only.
+
+[<Policies>](#bkmk-policies)
+
+[<ErrorControl>](#bkmk-errorcontrol)
+
+[<fatal>](#bkmk-fatal)
+
+[<fileError>](#bkmk-fileerror)
+
+[<nonfatal>](#bkmk-nonfatal)
+
+[<registryError>](#bkmk-registryerror)
+
+[<HardLinkStoreControl>](#bkmk-hardlinkstorecontrol)
+
+[<fileLocked>](#bkmk-filelock)
+
+[<createHardLink>](#bkmk-createhardlink)
+
+[<errorHardLink>](#bkmk-errorhardlink)
+
+[<ProfileControl>](#bkmk-profilecontrol)
+
+[<localGroups>](#bkmk-localgroups)
+
+[<mappings>](#bkmk-mappings)
+
+[<changeGroup>](#bkmk-changegrou)
+
+[<include>](#bkmk-include)
+
+[<exclude>](#bkmk-exclude)
+
+[Sample Config.xml File](#bkmk-sampleconfigxjmlfile)
+
+## <Policies>
+
+
+The **<Policies>** element contains elements that describe the policies that USMT follows while creating a migration store. Valid children of the **<Policies>** element are **<ErrorControl>** and **<HardLinkStoreControl>**. The **<Policies>** element is a child of **<Configuration>**.
+
+Syntax: ``
+
+## <ErrorControl>
+
+
+The **<ErrorControl>** element is an optional element you can configure in the Config.xml file. The configurable **<ErrorControl>** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character.
+
+- **Number of occurrences**: Once for each component
+
+- **Parent elements**: The **<Policies>** element
+
+- **Child elements**: The **<fileError>** and **<registryError>** element
+
+Syntax: ``
+
+The following example specifies that all locked files, regardless of their location (including files in C:\\Users), should be ignored. However, the migration fails if any file in C:\\Users cannot be accessed because of any other reason. In the example below, the **<ErrorControl>** element ignores any problems in migrating registry keys that match the supplied pattern, and it resolves them to an **Access denied** error.
+
+Additionally, the order in the **<ErrorControl>** section implies priority. In this example, the first **<nonFatal>** tag takes precedence over the second **<fatal>** tag. This precedence is applied, regardless of how many tags are listed.
+
+``` xml
+
+
+ * [*]
+ C:\Users\* [*]
+
+
+ HKCU\SOFTWARE\Microsoft\* [*]
+
+
+```
+
+**Important**
+The configurable **<ErrorControl>** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character.
+
+
+
+### <fatal>
+
+The **<fatal>** element is not required.
+
+- **Number of occurrences**: Once for each component
+
+- **Parent elements**: **<fileError>** and **<registryError>**
+
+- **Child elements**: None.
+
+Syntax: ``*<pattern>*``
+
+
+
+
+
+
+
+
+
+
Parameter
+
Required
+
Value
+
+
+
+
+
errorCode
+
No
+
"any" or "specify system error message here"
+
+
+
+
+
+
+You use the **<fatal>** element to specify that errors matching a specific pattern should cause USMT to halt the migration.
+
+## <fileError>
+
+
+The **<fileError>** element is not required.
+
+- **Number of occurrences**: Once for each component
+
+- **Parent elements**: **<ErrorControl>**
+
+- **Child elements**: **<nonFatal>** and **<fatal>**
+
+Syntax: ``
+
+You use the **<fileError>** element to represent the behavior associated with file errors.
+
+## <nonFatal>
+
+
+The **<nonFatal>** element is not required.
+
+- **Number of occurrences**: Once for each component
+
+- **Parent elements**: The **<fileError>** and **<registryError>** elements.
+
+- **Child elements**: None.
+
+Syntax: ``*<pattern>*``
+
+
+
+
+
+
+
+
+
+
Parameter
+
Required
+
Value
+
+
+
+
+
<errorCode>
+
No
+
"any" or "specify system error message here". If system error messages are not specified, the default behavior applies the parameter to all system error messages.
+
+
+
+
+
+
+You use the **<nonFatal>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
+
+## <registryError>
+
+
+The <registryError>element is not required.
+
+- **Number of occurrences**: Once for each component
+
+- **Parent elements**: **<ErrorControl>**
+
+- **Child elements**: **<nonfatal>** and **<fatal>**
+
+Syntax: ``
+
+
+
+
+
+
+
+
+
+
Parameter
+
Required
+
Value
+
+
+
+
+
<errorCode>
+
No
+
"any" or "specify system error message here". If system error messages are not specified, the default behavior applies the parameter to all system error messages.
+
+
+
+
+
+
+You use the **<registryError>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
+
+## <HardLinkStoreControl>
+
+
+The **<HardLinkStoreControl>** element contains elements that describe how to handle files during the creation of a hard-link migration store. Its only valid child is **<fileLocked>**.
+
+Syntax: ``
+
+- **Number of occurrences**: Once for each component
+
+- **Parent elements**: **<Policies>**
+
+- **Child elements**: **<fileLocked>**
+
+Syntax: ``
+
+The **<HardLinkStoreControl>** sample code below specifies that hard links can be created to locked files only if the locked file resides somewhere under C:\\Users\\. Otherwise, a file-access error occurs when a locked file is encountered that cannot be copied, even though is technically possible for the link to be created.
+
+**Important**
+The **<ErrorControl>** section can be configured to conditionally ignore file access errors, based on the file’s location.
+
+
+
+``` xml
+
+
+
+ C:\Users\*
+ C:\*
+
+
+
+ […]
+
+
+```
+
+## <fileLocked>
+
+
+The **<fileLocked>** element contains elements that describe how to handle files that are locked for editing. The rules defined by the **<fileLocked>** element are processed in the order in which they appear in the XML file.
+
+Syntax: ``
+
+## <createHardLink>
+
+
+The **<createHardLink>** element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application.
+
+Syntax: ``*<pattern>*``
+
+## <errorHardLink>
+
+
+The **<errorHardLink>** element defines a standard MigXML pattern that describes file paths where hard links should not be created if the file is locked for editing by another application. USMT will attempt to copy files under these paths into the migration store. However, if that is not possible, **Error\_Locked** is thrown. This is a standard Windows application programming interface (API) error that can be captured by the **<ErrorControl>** section to either cause USMT to skip the file or abort the migration.
+
+Syntax: ``*<pattern>*``
+
+## <ProfileControl>
+
+
+This element is used to contain other elements that establish rules for migrating profiles, users, and policies around local group membership during the migration. **<ProfileMigration>** is a child of **<Configuration>**.
+
+Syntax: <`ProfileControl> `
+
+## <localGroups>
+
+
+This element is used to contain other elements that establish rules for how to migrate local groups. **<localGroups>** is a child of **<ProfileControl>**.
+
+Syntax: ``
+
+## <mappings>
+
+
+This element is used to contain other elements that establish mappings between groups.
+
+Syntax: ``
+
+## <changeGroup>
+
+
+This element describes the source and destination groups for a local group membership change during the migration. It is a child of **<localGroups>**. The following parameters are defined:
+
+
+
+
+
+
+
+
+
+
Parameter
+
Required
+
Value
+
+
+
+
+
From
+
Yes
+
A valid local group on the source machine that contains users selected for migration on the command line.
+
+
+
To
+
Yes
+
A local group that the users are to be moved to during the migration.
+
+
+
appliesTo
+
Yes
+
nonmigratedUsers, migratedUsers, AllUsers. This value defines which users the change group operation should apply to.
+
+
+
+
+
+
+The valid and required children of **<changeGroup>** are **<include>** and **<exclude>**. Although both can be children at the same time, only one is required.
+
+Syntax: ``
+
+## <include>
+
+
+This element specifies that its required child, *<pattern>*, should be included in the migration.
+
+Syntax: ````
+
+## <exclude>
+
+
+This element specifies that its required child, *<pattern>*, should be excluded from the migration.
+
+Syntax: ``` `
+
+## Sample Config.xml File
+
+
+Refer to the following sample Config.xml file for additional details about items you can choose to exclude from a migration.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index ecba40336b..5b40bd3e9d 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -1,464 +1,465 @@
----
-title: Conflicts and Precedence (Windows 10)
-description: Conflicts and Precedence
-ms.assetid: 0e2691a8-ff1e-4424-879b-4d5a2f8a113a
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Conflicts and Precedence
-
-
-When you include, exclude, and reroute files and settings, it is important to know how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. When working with USMT, the following are the most important conflicts and precedence guidelines to keep in mind.
-
-- **If there are conflicting rules within a component, the most specific rule is applied.** However, the <unconditionalExclude> rule is an exception because it takes precedence over all others. Directory names take precedence over file extensions. For examples, see [What happens when there are conflicting include and exclude rules?](#bkmk1) and the first example in [Include and exclude precedence examples](#precexamples)****later in this topic.
-
-- **Only rules inside the same component can affect each other, depending on specificity.** Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule.
-
-- **If the rules are equally specific, <exclude> takes precedence over <include>.** For example, if you use the <exclude> rule to exclude a file and use the <include> rule to include the same file, the file will be excluded.
-
-- **The ordering of components does not matter.** It does not matter which components are listed in which .xml file, because each component is processed independently of the other components across all of the .xml files.
-
-- **The ordering of the <include> and <exclude> rules within a component does not matter.**
-
-- **You can use the <unconditionalExclude> element to globally exclude data.** This element excludes objects, regardless of any other <include> rules that are in the .xml files. For example, you can use the <unconditionalExclude> element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData.
-
-## In This Topic
-
-
-**General**
-
-- [What is the relationship between rules that are located within different components?](#bkmk2)
-
-- [How does precedence work with the Config.xml file?](#bkmk3)
-
-- [How does USMT process each component in an .xml file with multiple components?](#bkmk4)
-
-- [How are rules processed?](#bkmk5)
-
-- [How does USMT combine all of the .xml files that I specify on the command line?](#bkmk6)
-
-**The <include> and <exclude> rules**
-
-- [What happens when there are conflicting include and exclude rules?](#bkmk1)
-
-- [<include> and <exclude> precedence examples](#precexamples)
-
-**File collisions**
-
-- [What is the default behavior when there are file collisions?](#collisions)
-
-- [How does the <merge> rule work when there are file collisions?](#bkmk11)
-
-## General
-
-
-### What is the relationship between rules that are located within different components?
-
-Only rules inside the same component can affect each other, depending on specificity, except for the <unconditionalExclude> rule. Rules that are in different components do not affect each other. If there is an <include> rule in one component and an identical <exclude> rule in another component, the data will be migrated because the two rules are independent of each other.
-
-If you have an <include> rule in one component and a <locationModify> rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the <include> rule, and it will be migrated based on the <locationModify> rule.
-
-The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the <exclude> rule is specified in a separate component.
-
-``` syntax
-
-
-User Documents
-
-
-
-
- C:\Userdocs\* [*.mp3]
-
-
-
-
-
-
-
- User documents to include
-
-
-
-
- C:\Userdocs\ [*]
-
-
-
-
-
-
-```
-
-### How does precedence work with the Config.xml file?
-
-Specifying `migrate="no"` in the Config.xml file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded.
-
-``` syntax
-
-
- %CSIDL_PERSONAL%\* [*.doc]
-
-
-```
-
-### How does USMT process each component in an .xml file with multiple components?
-
-The ordering of components does not matter. Each component is processed independently of other components. For example, if you have an <include> rule in one component and a <locationModify> rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the <include> rule, and it will be migrated based on the <locationModify> rule.
-
-### How are rules processed?
-
-There are two broad categories of rules.
-
-- **Rules that affect the behavior of both the ScanState and LoadState tools**. For example, the <include>, <exclude>, and <unconditionalExclude> rules are processed for each component in the .xml files. For each component, USMT creates an include list and an exclude list. Some of the rules in the component might be discarded due to specificity, but all of the remaining rules are processed. For each <include> rule, USMT iterates through the elements to see if any of the locations need to be excluded. USMT enumerates all of the objects and creates a list of objects it is going to collect for each user. Once the list is complete, each of the objects is stored or migrated to the destination computer.
-
-- **Rules that affect the behavior of only the LoadState tool**. For example, the <locationModify>, <contentModify>, and <destinationCleanup> rules do not affect ScanState. They are processed only with LoadState. First, the LoadState tool determines the content and location of each component based on the <locationModify>and <contentModify> rules. Then, LoadState processes all of the <destinationCleanup> rules and deletes data from the destination computer. Lastly, LoadState applies the components to the computer.
-
-### How does USMT combine all of the .xml files that I specify on the command line?
-
-USMT does not distinguish the .xml files based on their name or content. It processes each component within the files separately. USMT supports multiple .xml files only to make it easier to maintain and organize the components within them. Because USMT uses a urlid to distinguish each component from the others, be sure that each .xml file that you specify on the command line has a unique migration urlid.
-
-## The <include> and <exclude> rules
-
-
-### What happens when there are conflicting <include> and <exclude> rules?
-
-If there are conflicting rules within a component, the most specific rule is applied, except with the <unconditionalExclude> rule, which takes precedence over all other rules. If the rules are equally specific, then the data will be not be migrated. For example if you exclude a file, and include the same file, the file will not be migrated. If there are conflicting rules within different components, the rules do not affect each other because each component is processed independently.
-
-In the following example, mp3 files will not be excluded from the migration. This is because directory names take precedence over the file extensions.
-
-``` syntax
-
-
- C:\Data\* [*]
-
-
-
-
- C:\* [*.mp3]
-
-
-```
-
-### <include> and <exclude> rules precedence examples
-
-These examples explain how USMT deals with <include> and <exclude> rules. When the rules are in different components, the resulting behavior will be the same regardless of whether the components are in the same or in different migration .xml files.
-
-- [Including and excluding files](#filesex)
-
-- [Including and excluding registry objects](#regex)
-
-### Including and excluding files
-
-
-
-
-
-
-
-
-
-
If you have the following code in the same component
-
Resulting behavior
-
Explanation
-
-
-
-
-
-
Include rule: <pattern type="File">C:\Dir1* []</pattern>
Migrates all files and subfolders of C:\Dir1\ (including C:\Dir1\Dir2).
-
Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. Therefore, in this example, although some .txt files were excluded when Component 1 was processed, they were included when Component 2 was processed.
-
-
-
Component 1:
-
-
Include rule: C:\Dir1\Dir2* []
-
-
Component 2:
-
-
Exclude rule: C:\Dir1* [.txt]
-
-
Migrates all files and subfolders from Dir2 except the .txt files in C:\Dir1 and its subfolders.
-
Both rules are processed as intended.
-
-
-
Component 1:
-
-
Exclude rule: C:\Dir1\Dir2* []
-
-
Component 2:
-
-
Include rule: C:\Dir1* [.txt]
-
-
Migrates all .txt files in Dir1 and any subfolders.
-
Component 1 does not contain an <include> rule, so the <exclude> rule is not processed.
-
-
-
-
-
-
-### Including and excluding registry objects
-
-
-
-
-
-
-
-
-
-
If you have the following code in the same component
-
Resulting behavior
-
Explanation
-
-
-
-
-
-
Include rule: HKLM\Software\Microsoft\Command Processor* []
Migrates all the keys/values under HKLM\Software\Microsoft\Command Processor.
-
Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. Therefore, in this example, the objects that were excluded when Component 1 was processed were included when Component 2 was processed.
-
-
-
-
-
-
-## File collisions
-
-
-### What is the default behavior when there are file collisions?
-
-If there is not a <merge> rule, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally: for example, OriginalFileName(1).OriginalExtension, OriginalFileName(2).OriginalExtension, and so on.
-
-### How does the <merge> rule work when there are file collisions?
-
-When a collision is detected, USMT will select the most specific <merge> rule and apply it to resolve the conflict. For example, if you have a <merge> rule for C:\\\* \[\*\] set to **sourcePriority()** and another <merge> rule for C:\\subfolder\\\* \[\*\] set to **destinationPriority()** , then USMT uses the destinationPriority() rule because it is the most specific.
-
-### Example scenario
-
-The source computer contains the following files:
-
-- C:\\Data\\SampleA.txt
-
-- C:\\Data\\SampleB.txt
-
-- C:\\Data\\Folder\\SampleB.txt
-
-The destination computer contains the following files:
-
-- C:\\Data\\SampleB.txt
-
-- C:\\Data\\Folder\\SampleB.txt
-
-You have a custom .xml file that contains the following code:
-
-``` syntax
-
-
- c:\data\* [*]
-
-
-```
-
-For this example, the following table describes the resulting behavior if you add the code in the first column to your custom .xml file.
-
-
During ScanState, all the files will be added to the store.
-
During LoadState, the following will occur:
-
-
C:\Data\SampleA.txt will be restored.
-
C:\Data\SampleB.txt will be restored, overwriting the existing file on the destination computer.
-
C:\Data\Folder\SampleB.txt will not be restored.
-
-
-
-
-
-
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Conflicts and Precedence (Windows 10)
+description: Conflicts and Precedence
+ms.assetid: 0e2691a8-ff1e-4424-879b-4d5a2f8a113a
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Conflicts and Precedence
+
+
+When you include, exclude, and reroute files and settings, it is important to know how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. When working with USMT, the following are the most important conflicts and precedence guidelines to keep in mind.
+
+- **If there are conflicting rules within a component, the most specific rule is applied.** However, the <unconditionalExclude> rule is an exception because it takes precedence over all others. Directory names take precedence over file extensions. For examples, see [What happens when there are conflicting include and exclude rules?](#bkmk1) and the first example in [Include and exclude precedence examples](#precexamples)****later in this topic.
+
+- **Only rules inside the same component can affect each other, depending on specificity.** Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule.
+
+- **If the rules are equally specific, <exclude> takes precedence over <include>.** For example, if you use the <exclude> rule to exclude a file and use the <include> rule to include the same file, the file will be excluded.
+
+- **The ordering of components does not matter.** It does not matter which components are listed in which .xml file, because each component is processed independently of the other components across all of the .xml files.
+
+- **The ordering of the <include> and <exclude> rules within a component does not matter.**
+
+- **You can use the <unconditionalExclude> element to globally exclude data.** This element excludes objects, regardless of any other <include> rules that are in the .xml files. For example, you can use the <unconditionalExclude> element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData.
+
+## In This Topic
+
+
+**General**
+
+- [What is the relationship between rules that are located within different components?](#bkmk2)
+
+- [How does precedence work with the Config.xml file?](#bkmk3)
+
+- [How does USMT process each component in an .xml file with multiple components?](#bkmk4)
+
+- [How are rules processed?](#bkmk5)
+
+- [How does USMT combine all of the .xml files that I specify on the command line?](#bkmk6)
+
+**The <include> and <exclude> rules**
+
+- [What happens when there are conflicting include and exclude rules?](#bkmk1)
+
+- [<include> and <exclude> precedence examples](#precexamples)
+
+**File collisions**
+
+- [What is the default behavior when there are file collisions?](#collisions)
+
+- [How does the <merge> rule work when there are file collisions?](#bkmk11)
+
+## General
+
+
+### What is the relationship between rules that are located within different components?
+
+Only rules inside the same component can affect each other, depending on specificity, except for the <unconditionalExclude> rule. Rules that are in different components do not affect each other. If there is an <include> rule in one component and an identical <exclude> rule in another component, the data will be migrated because the two rules are independent of each other.
+
+If you have an <include> rule in one component and a <locationModify> rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the <include> rule, and it will be migrated based on the <locationModify> rule.
+
+The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the <exclude> rule is specified in a separate component.
+
+``` xml
+
+
+User Documents
+
+
+
+
+ C:\Userdocs\* [*.mp3]
+
+
+
+
+
+
+
+ User documents to include
+
+
+
+
+ C:\Userdocs\ [*]
+
+
+
+
+
+
+```
+
+### How does precedence work with the Config.xml file?
+
+Specifying `migrate="no"` in the Config.xml file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded.
+
+``` xml
+
+
+ %CSIDL_PERSONAL%\* [*.doc]
+
+
+```
+
+### How does USMT process each component in an .xml file with multiple components?
+
+The ordering of components does not matter. Each component is processed independently of other components. For example, if you have an <include> rule in one component and a <locationModify> rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the <include> rule, and it will be migrated based on the <locationModify> rule.
+
+### How are rules processed?
+
+There are two broad categories of rules.
+
+- **Rules that affect the behavior of both the ScanState and LoadState tools**. For example, the <include>, <exclude>, and <unconditionalExclude> rules are processed for each component in the .xml files. For each component, USMT creates an include list and an exclude list. Some of the rules in the component might be discarded due to specificity, but all of the remaining rules are processed. For each <include> rule, USMT iterates through the elements to see if any of the locations need to be excluded. USMT enumerates all of the objects and creates a list of objects it is going to collect for each user. Once the list is complete, each of the objects is stored or migrated to the destination computer.
+
+- **Rules that affect the behavior of only the LoadState tool**. For example, the <locationModify>, <contentModify>, and <destinationCleanup> rules do not affect ScanState. They are processed only with LoadState. First, the LoadState tool determines the content and location of each component based on the <locationModify>and <contentModify> rules. Then, LoadState processes all of the <destinationCleanup> rules and deletes data from the destination computer. Lastly, LoadState applies the components to the computer.
+
+### How does USMT combine all of the .xml files that I specify on the command line?
+
+USMT does not distinguish the .xml files based on their name or content. It processes each component within the files separately. USMT supports multiple .xml files only to make it easier to maintain and organize the components within them. Because USMT uses a urlid to distinguish each component from the others, be sure that each .xml file that you specify on the command line has a unique migration urlid.
+
+## The <include> and <exclude> rules
+
+
+### What happens when there are conflicting <include> and <exclude> rules?
+
+If there are conflicting rules within a component, the most specific rule is applied, except with the <unconditionalExclude> rule, which takes precedence over all other rules. If the rules are equally specific, then the data will be not be migrated. For example if you exclude a file, and include the same file, the file will not be migrated. If there are conflicting rules within different components, the rules do not affect each other because each component is processed independently.
+
+In the following example, mp3 files will not be excluded from the migration. This is because directory names take precedence over the file extensions.
+
+``` xml
+
+
+ C:\Data\* [*]
+
+
+
+
+ C:\* [*.mp3]
+
+
+```
+
+### <include> and <exclude> rules precedence examples
+
+These examples explain how USMT deals with <include> and <exclude> rules. When the rules are in different components, the resulting behavior will be the same regardless of whether the components are in the same or in different migration .xml files.
+
+- [Including and excluding files](#filesex)
+
+- [Including and excluding registry objects](#regex)
+
+### Including and excluding files
+
+
+
+
+
+
+
+
+
+
If you have the following code in the same component
+
Resulting behavior
+
Explanation
+
+
+
+
+
+
Include rule: <pattern type="File">C:\Dir1* []</pattern>
Migrates all files and subfolders of C:\Dir1\ (including C:\Dir1\Dir2).
+
Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. Therefore, in this example, although some .txt files were excluded when Component 1 was processed, they were included when Component 2 was processed.
+
+
+
Component 1:
+
+
Include rule: C:\Dir1\Dir2* []
+
+
Component 2:
+
+
Exclude rule: C:\Dir1* [.txt]
+
+
Migrates all files and subfolders from Dir2 except the .txt files in C:\Dir1 and its subfolders.
+
Both rules are processed as intended.
+
+
+
Component 1:
+
+
Exclude rule: C:\Dir1\Dir2* []
+
+
Component 2:
+
+
Include rule: C:\Dir1* [.txt]
+
+
Migrates all .txt files in Dir1 and any subfolders.
+
Component 1 does not contain an <include> rule, so the <exclude> rule is not processed.
+
+
+
+
+
+
+### Including and excluding registry objects
+
+
+
+
+
+
+
+
+
+
If you have the following code in the same component
+
Resulting behavior
+
Explanation
+
+
+
+
+
+
Include rule: HKLM\Software\Microsoft\Command Processor* []
Migrates all the keys/values under HKLM\Software\Microsoft\Command Processor.
+
Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. Therefore, in this example, the objects that were excluded when Component 1 was processed were included when Component 2 was processed.
+
+
+
+
+
+
+## File collisions
+
+
+### What is the default behavior when there are file collisions?
+
+If there is not a <merge> rule, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally: for example, OriginalFileName(1).OriginalExtension, OriginalFileName(2).OriginalExtension, and so on.
+
+### How does the <merge> rule work when there are file collisions?
+
+When a collision is detected, USMT will select the most specific <merge> rule and apply it to resolve the conflict. For example, if you have a <merge> rule for C:\\\* \[\*\] set to **sourcePriority()** and another <merge> rule for C:\\subfolder\\\* \[\*\] set to **destinationPriority()** , then USMT uses the destinationPriority() rule because it is the most specific.
+
+### Example scenario
+
+The source computer contains the following files:
+
+- C:\\Data\\SampleA.txt
+
+- C:\\Data\\SampleB.txt
+
+- C:\\Data\\Folder\\SampleB.txt
+
+The destination computer contains the following files:
+
+- C:\\Data\\SampleB.txt
+
+- C:\\Data\\Folder\\SampleB.txt
+
+You have a custom .xml file that contains the following code:
+
+``` xml
+
+
+ c:\data\* [*]
+
+
+```
+
+For this example, the following table describes the resulting behavior if you add the code in the first column to your custom .xml file.
+
+
During ScanState, all the files will be added to the store.
+
During LoadState, the following will occur:
+
+
C:\Data\SampleA.txt will be restored.
+
C:\Data\SampleB.txt will be restored, overwriting the existing file on the destination computer.
+
C:\Data\Folder\SampleB.txt will not be restored.
+
+
+
+
+
+
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index af14caacd3..66f4f18511 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -1,317 +1,318 @@
----
-title: Custom XML Examples (Windows 10)
-description: Custom XML Examples
-ms.assetid: 48f441d9-6c66-43ef-91e9-7c78cde6fcc0
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Custom XML Examples
-
-
-**Note**
-Because the tables in this topic are wide, you may need to adjust the width of its window.
-
-
-
-## In This Topic:
-
-
-- [Example 1: Migrating an Unsupported Application](#example)
-
-- [Example 2: Migrating the My Videos Folder](#example2)
-
-- [Example 3: Migrating Files and Registry Keys](#example3)
-
-- [Example 4: Migrating Specific Folders from Various Locations](#example4)
-
-## Example 1: Migrating an Unsupported Application
-
-
-The following is a template for the sections that you need to migrate your application. The template is not functional on its own, but you can use it to write your own .xml file.
-
-``` syntax
-
-
-
- Some Application
-
-
-
-
-
- value
-
-
-
-
-
-
-
-
-
-
-
- MigXMLHelper.DoesObjectExist("Registry","HKLM\Software\MyApp [win32_version]")
-
-
-
-
- MigXMLHelper.DoesFileVersionMatch("%MyAppExePath%","ProductVersion","8.*")
- MigXMLHelper.DoesFileVersionMatch("%MyAppExePath%","ProductVersion","9.*")
-
-
-
-
-
-
-
-
- HKCU\Software\MyApp\Toolbar\* [*]
- HKCU\Software\MyApp\ListView\* [*]
- HKCU\Software\MyApp [ShowTips]
-
-
-
-
-
-
- HKCU\Software\MyApp\Toolbar\* [*]
- HKCU\Software\MyApp\ListView\* [*]
- HKCU\Software\MyApp [ShowTips]
-
-
-
-
-
-
- HKCU\Software\MyApp [Display]
-
-
-
-
-
-
-```
-
-## Example 2: Migrating the My Videos Folder
-
-
-The following is a custom .xml file named CustomFile.xml that migrates My Videos for all users, if the folder exists on the source computer.
-
-
Filters out the shortcuts in My Videos that do not resolve on the destination computer. This has no effect on files that are not shortcuts. For example, if there is a shortcut in My Videos on the source computer that points to C:\Folder1, that shortcut will be migrated only if C:\Folder1 exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering.
Migrates the entire registry hive under HKLM\Software\USMTTESTKEY.
-
-
-
-
-
-
-``` syntax
-
-
- File Migration Test
-
-
-
-
- %ProgramFiles%\USMTTestFolder\* [USMTTestFile.txt]
- %ProgramFiles%\USMTDIRTestFolder\* [*]
-
-
-
-
-
-
- Registry Migration Test
-
-
-
-
- HKCU\Software\USMTTESTKEY\* [MyKey]
- HKLM\Software\USMTTESTKEY\* [*]
-
-
-
-
-
-
-```
-
-## Example 4: Migrating Specific Folders from Various Locations
-
-
-The behavior for this custom .xml file is described within the <`displayName`> tags in the code.
-
-``` syntax
-
-
-
- Component to migrate all Engineering Drafts subfolders without documents in this folder
-
-
-
-
- C:\EngineeringDrafts\* [*]
-
-
-
-
- C:\EngineeringDrafts\ [*]
-
-
-
-
-
-
-
- Component to migrate all user documents except Sample.doc
-
-
-
-
- C:\UserDocuments\* [*]
-
-
-
-
- C:\UserDocuments\ [Sample.doc]
-
-
-
-
-
-
-
- Component to migrate all Requests folders on any drive on the computer
-
-
-
-
-
-
-
-
-
-
-
-
-
- Component to migrate all Presentations folder from any location on the C: drive
-
-
-
-
- C:\*\Presentations\* [*]
- C:\Presentations\* [*]
-
-
-
-
-
-
-```
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-[Customize USMT XML Files](usmt-customize-xml-files.md)
-
-
-
-
-
-
-
-
-
+---
+title: Custom XML Examples (Windows 10)
+description: Custom XML Examples
+ms.assetid: 48f441d9-6c66-43ef-91e9-7c78cde6fcc0
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Custom XML Examples
+
+
+**Note**
+Because the tables in this topic are wide, you may need to adjust the width of its window.
+
+
+
+## In This Topic:
+
+
+- [Example 1: Migrating an Unsupported Application](#example)
+
+- [Example 2: Migrating the My Videos Folder](#example2)
+
+- [Example 3: Migrating Files and Registry Keys](#example3)
+
+- [Example 4: Migrating Specific Folders from Various Locations](#example4)
+
+## Example 1: Migrating an Unsupported Application
+
+
+The following is a template for the sections that you need to migrate your application. The template is not functional on its own, but you can use it to write your own .xml file.
+
+``` xml
+
+
+
+ Some Application
+
+
+
+
+
+ value
+
+
+
+
+
+
+
+
+
+
+
+ MigXMLHelper.DoesObjectExist("Registry","HKLM\Software\MyApp [win32_version]")
+
+
+
+
+ MigXMLHelper.DoesFileVersionMatch("%MyAppExePath%","ProductVersion","8.*")
+ MigXMLHelper.DoesFileVersionMatch("%MyAppExePath%","ProductVersion","9.*")
+
+
+
+
+
+
+
+
+ HKCU\Software\MyApp\Toolbar\* [*]
+ HKCU\Software\MyApp\ListView\* [*]
+ HKCU\Software\MyApp [ShowTips]
+
+
+
+
+
+
+ HKCU\Software\MyApp\Toolbar\* [*]
+ HKCU\Software\MyApp\ListView\* [*]
+ HKCU\Software\MyApp [ShowTips]
+
+
+
+
+
+
+ HKCU\Software\MyApp [Display]
+
+
+
+
+
+
+```
+
+## Example 2: Migrating the My Videos Folder
+
+
+The following is a custom .xml file named CustomFile.xml that migrates My Videos for all users, if the folder exists on the source computer.
+
+
Filters out the shortcuts in My Videos that do not resolve on the destination computer. This has no effect on files that are not shortcuts. For example, if there is a shortcut in My Videos on the source computer that points to C:\Folder1, that shortcut will be migrated only if C:\Folder1 exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering.
Migrates the entire registry hive under HKLM\Software\USMTTESTKEY.
+
+
+
+
+
+
+``` xml
+
+
+ File Migration Test
+
+
+
+
+ %ProgramFiles%\USMTTestFolder\* [USMTTestFile.txt]
+ %ProgramFiles%\USMTDIRTestFolder\* [*]
+
+
+
+
+
+
+ Registry Migration Test
+
+
+
+
+ HKCU\Software\USMTTESTKEY\* [MyKey]
+ HKLM\Software\USMTTESTKEY\* [*]
+
+
+
+
+
+
+```
+
+## Example 4: Migrating Specific Folders from Various Locations
+
+
+The behavior for this custom .xml file is described within the <`displayName`> tags in the code.
+
+``` xml
+
+
+
+ Component to migrate all Engineering Drafts subfolders without documents in this folder
+
+
+
+
+ C:\EngineeringDrafts\* [*]
+
+
+
+
+ C:\EngineeringDrafts\ [*]
+
+
+
+
+
+
+
+ Component to migrate all user documents except Sample.doc
+
+
+
+
+ C:\UserDocuments\* [*]
+
+
+
+
+ C:\UserDocuments\ [Sample.doc]
+
+
+
+
+
+
+
+ Component to migrate all Requests folders on any drive on the computer
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Component to migrate all Presentations folder from any location on the C: drive
+
+
+
+
+ C:\*\Presentations\* [*]
+ C:\Presentations\* [*]
+
+
+
+
+
+
+```
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+[Customize USMT XML Files](usmt-customize-xml-files.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index a3d0fe1b02..4b2d8385c2 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -1,235 +1,236 @@
----
-title: Hard-Link Migration Store (Windows 10)
-description: Hard-Link Migration Store
-ms.assetid: b0598418-4607-4952-bfa3-b6e4aaa2c574
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Hard-Link Migration Store
-
-
-A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this is why it is best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs and enables entirely new migration scenarios.
-
-## In This Topic
-
-
-[When to Use a Hard-Link Migration](#bkmk-when)
-
-[Understanding a Hard-Link Migration](#bkmk-understandhardlinkmig)
-
-[Scenario](#bkmk-scenario)
-
-[Hard-Link Migration Store Details](#bkmk-hardlinkstoredetails)
-
-[Hard Disk Space](#bkmk-harddiskspace)
-
-[Hard-Link Store Size Estimation](#bkmk-hardlinkstoresizeest)
-
-[Migration Store Path on Multiple Volumes](#bkmk-migstoremultvolumes)
-
-[Location Modifications](#bkmk-locationmodify)
-
-[Migrating Encrypting File System (EFS) Certificates and Files](#bkmk-efs)
-
-[Migrating Locked Files With the Hard-Link Migration Store](#bkmk-miglockedfiles)
-
-[XML Elements in the Config.xml File](#bkmk-xmlelementsinconfig)
-
-## When to Use a Hard-Link Migration
-
-
-You can use a hard-link migration store when your planned migration meets both of the following criteria:
-
-- You are upgrading the operating system on existing hardware rather than migrating to new computers.
-
-- You are upgrading the operating system on the same volume of the computer.
-
-You cannot use a hard-link migration store if your planned migration includes any of the following:
-
-- You are migrating data from one computer to a second computer.
-
-- You are migrating data from one volume on a computer to another volume, for example from C: to D:.
-
-- You are formatting or repartitioning the disk outside of Windows Setup, or specifying a disk format or repartition during Windows Setup that will remove the migration store.
-
-## Understanding a Hard-Link Migration
-
-
-The hard-link migration store is created using the command-line option, **/hardlink**, and is equivalent to other migration-store types. However, it differs in that hard links are utilized to keep files stored on the source computer during the migration. Keeping the files in place on the source computer eliminates the redundant work of duplicating files. It also enables the performance benefits and reduction in disk utilization that define this scenario.
-
-When you create a hard link, you give an existing file an additional path. For instance, you could create a hard link to c:\\file1.txt called c:\\hard link\\myFile.txt. These are two paths to the same file. If you open c:\\file1.txt, make changes, and save the file, you will see those changes when you open c:\\hard link\\myFile.txt. If you delete c:\\file1.txt, the file still exists on your computer as c:\\hardlink\\myFile.txt. You must delete both references to the file in order to delete the file.
-
-**Note**
-A hard link can only be created for a file on the same volume. If you copy a hard-link migration store to another drive or external device, the files, and not the links, are copied, as in a non-compressed migration-store scenario.
-
-
-
-For more information about hard links, please see [Hard Links and Junctions](https://go.microsoft.com/fwlink/p/?LinkId=132934)
-
-In most aspects, a hard-link migration store is identical to an uncompressed migration store. It is located where specified by the Scanstate command-line tool and you can view the contents of the store by using Windows® Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store; however, as with creating the store, the same hard-link functionality is used to keep files in-place.
-
-As a best practice, we recommend that you delete the hard-link migration store after you confirm that the Loadstate tool has successfully migrated the files. Since Loadstate has created new paths to the files on your new installation of a Windows operating system, deleting the hard links in the migration store will only delete one path to the files and will not delete the actual files or the paths to them from your new operating system.
-
-**Important**
-Using the **/c** option will force the Loadstate tool to continue applying files when non-fatal errors occur. If you use the **/c** option, you should verify that no errors are reported in the logs before deleting the hard-link migration store in order to avoid data loss.
-
-
-
-Keeping the hard-link migration store can result in additional disk space being consumed or problems with some applications for the following reasons:
-
-- Applications reporting file-system statistics, for example, space used and free space, might incorrectly report these statistics while the hard-link migration store is present. The file may be reported twice because of the two paths that reference that file.
-
-- A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that was not used to open the file in this application will continue to refer to the unmodified file. The unmodified file that is not in use is taking up additional disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you are migrating the latest versions of all files.
-
-- Editing the file by using different paths simultaneously may result in data corruption.
-
-**Important**
-The read-only file attribute on migrated files is lost when the hard-link migration store is deleted. This is due to a limitation in NTFS file system hard links.
-
-
-
-## Hard-Link Migration Scenario
-
-
-For example, a company has decided to deploy Windows 10 on all of their computers. Each employee will keep the same computer, but the operating system on each computer will be updated.
-
-1. An administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink** command-line option. The ScanState tool saves the user state to a hard-link migration store on each computer, improving performance by reducing file duplication, except in certain specific instances.
-
- **Note**
- As a best practice, we recommend that you do not create your hard-link migration store until just before you perform the migration in order to migrate the latest versions of your files. You should not use your software applications on the computer after creating the migration store until you have finished migrating your files with Loadstate.
-
-
-
-2. On each computer, an administrator installs the company's standard operating environment (SOE), which includes Windows 7 and other applications the company currently uses.
-
-3. An administrator runs the LoadState command-line tool on each computer. The LoadState tool restores user state back on each computer.
-
-## Hard-Link Migration Store Details
-
-
-This section provides details about hard-link migration stores.
-
-### Hard Disk Space
-
-The **/hardlink** command-line option proceeds with creating the migration store only if there is 250 megabytes (MB) of free space on the hard disk. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless on the size of the migration.
-
-### Hard-Link Store Size Estimation
-
-It is not necessary to estimate the size of a hard-link migration store. Estimating the size of a migration store is only useful in scenarios where the migration store is very large, and on NTFS volumes the hard-link migration store will require much less incremental space than other store options. The only case where the local store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. Since NTFS has been the default file system format for Windows XP and newer operating systems, this situation is unusual.
-
-### Migration Store Path on Multiple Volumes
-
-Separate hard-link migration stores are created on each NTFS volume that contain data being migrated. In this scenario, the primary migration-store location will be specified on the command line, and should be the operating-system volume. Migration stores with identical names and directory names will be created on every volume containing data being migrated. For example:
-
-`Scanstate /hardlink c:\USMTMIG […]`
-
-Running this command on a system that contains the operating system on the C: drive and the user data on the D: drive will generate migration stores in the following locations, assuming that both drives are NTFS:
-
-C:\\USMTMIG\\
-
-D:\\USMTMIG\\
-
-The drive you specify on the command line for the hard-link migration store is important, because it defines where the *master migration store* should be placed. The *master migration store* is the location where data migrating from non-NTFS volumes is stored. This volume must have enough space to contain all of the data that comes from non-NTFS volumes. As in other scenarios, if a migration store already exists at the specified path, the **/o** option must be used to overwrite the existing data in the store.
-
-### Location Modifications
-
-Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes.
-
-### Migrating Encrypting File System (EFS) Certificates and Files
-
-To migrate Encrypting File System (EFS) files to a new installation of an operating system on the same volume of the computer, specify the **/efs:hardlink** option in the Scanstate command-line syntax.
-
-If the EFS files are being restored to a different partition, you should use the **/efs:copyraw** option instead of the **/efs:hardlink** option. Hard links can only be created for files on the same volume. Moving the files to another partition during the migration requires a copy of the files to be created on the new partition. The **/efs:copyraw** option will copy the files to the new partition in encrypted format.
-
-For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md) and the Encrypted File Options in [ScanState Syntax](usmt-scanstate-syntax.md).
-
-### Migrating Locked Files with the Hard-Link Migration Store
-
-Files that are locked by an application or the operating system are handled differently when using a hard-link migration store.
-
-Files that are locked by the operating system cannot remain in place and must be copied into the hard-link migration store. As a result, selecting many operating-system files for migration significantly reduces performance during a hard-link migration. As a best practice, we recommend that you do not migrate any files out of the \\Windows directory, which minimizes performance-related issues.
-
-Files that are locked by an application are treated the same in hard-link migrations as in other scenarios when the volume shadow-copy service is not being utilized. The volume shadow-copy service cannot be used in conjunction with hard-link migrations. However, by modifying the new **<HardLinkStoreControl>** section in the Config.xml file, it is possible to enable the migration of files locked by an application.
-
-**Important**
-There are some scenarios in which modifying the **<HardLinkStoreControl>** section in the Config.xml file makes it more difficult to delete a hard-link migration store. In these scenarios, you must use USMTutils.exe to schedule the migration store for deletion on the next restart.
-
-
-
-## XML Elements in the Config.xml File
-
-
-A new section in the Config.xml file allows optional configuration of some of the hard-link migration behavior introduced with the **/HardLink** option.
-
-
-
-
-
-
-
-
-
<Policies>
-
This element contains elements that describe the policies that USMT follows while creating a migration store.
-
-
-
<HardLinkStoreControl>
-
This element contains elements that describe how to handle files during the creation of a hard link migration store.
-
-
-
<fileLocked>
-
This element contains elements that describe how to handle files that are locked for editing.
-
-
-
<createHardLink>
-
This element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application.
This element defines a standard MigXML pattern that describes file paths where hard links should not be created, if the file is locked for editing by another application.
-
<errorHardLink> [pattern] </errorHardLink>
-
-
-
-
-
-
-**Important**
-You must use the **/nocompress** option with the **/HardLink** option.
-
-
-
-The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use<createhardlink>** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
-
-``` syntax
-
-
-
- c:\Users\* [*]
- C:\* [*]
-
-
-
-```
-
-## Related topics
-
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-
-
-
-
-
-
-
-
+---
+title: Hard-Link Migration Store (Windows 10)
+description: Hard-Link Migration Store
+ms.assetid: b0598418-4607-4952-bfa3-b6e4aaa2c574
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Hard-Link Migration Store
+
+
+A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this is why it is best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs and enables entirely new migration scenarios.
+
+## In This Topic
+
+
+[When to Use a Hard-Link Migration](#bkmk-when)
+
+[Understanding a Hard-Link Migration](#bkmk-understandhardlinkmig)
+
+[Scenario](#bkmk-scenario)
+
+[Hard-Link Migration Store Details](#bkmk-hardlinkstoredetails)
+
+[Hard Disk Space](#bkmk-harddiskspace)
+
+[Hard-Link Store Size Estimation](#bkmk-hardlinkstoresizeest)
+
+[Migration Store Path on Multiple Volumes](#bkmk-migstoremultvolumes)
+
+[Location Modifications](#bkmk-locationmodify)
+
+[Migrating Encrypting File System (EFS) Certificates and Files](#bkmk-efs)
+
+[Migrating Locked Files With the Hard-Link Migration Store](#bkmk-miglockedfiles)
+
+[XML Elements in the Config.xml File](#bkmk-xmlelementsinconfig)
+
+## When to Use a Hard-Link Migration
+
+
+You can use a hard-link migration store when your planned migration meets both of the following criteria:
+
+- You are upgrading the operating system on existing hardware rather than migrating to new computers.
+
+- You are upgrading the operating system on the same volume of the computer.
+
+You cannot use a hard-link migration store if your planned migration includes any of the following:
+
+- You are migrating data from one computer to a second computer.
+
+- You are migrating data from one volume on a computer to another volume, for example from C: to D:.
+
+- You are formatting or repartitioning the disk outside of Windows Setup, or specifying a disk format or repartition during Windows Setup that will remove the migration store.
+
+## Understanding a Hard-Link Migration
+
+
+The hard-link migration store is created using the command-line option, **/hardlink**, and is equivalent to other migration-store types. However, it differs in that hard links are utilized to keep files stored on the source computer during the migration. Keeping the files in place on the source computer eliminates the redundant work of duplicating files. It also enables the performance benefits and reduction in disk utilization that define this scenario.
+
+When you create a hard link, you give an existing file an additional path. For instance, you could create a hard link to c:\\file1.txt called c:\\hard link\\myFile.txt. These are two paths to the same file. If you open c:\\file1.txt, make changes, and save the file, you will see those changes when you open c:\\hard link\\myFile.txt. If you delete c:\\file1.txt, the file still exists on your computer as c:\\hardlink\\myFile.txt. You must delete both references to the file in order to delete the file.
+
+**Note**
+A hard link can only be created for a file on the same volume. If you copy a hard-link migration store to another drive or external device, the files, and not the links, are copied, as in a non-compressed migration-store scenario.
+
+
+
+For more information about hard links, please see [Hard Links and Junctions](https://go.microsoft.com/fwlink/p/?LinkId=132934)
+
+In most aspects, a hard-link migration store is identical to an uncompressed migration store. It is located where specified by the Scanstate command-line tool and you can view the contents of the store by using Windows® Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store; however, as with creating the store, the same hard-link functionality is used to keep files in-place.
+
+As a best practice, we recommend that you delete the hard-link migration store after you confirm that the Loadstate tool has successfully migrated the files. Since Loadstate has created new paths to the files on your new installation of a Windows operating system, deleting the hard links in the migration store will only delete one path to the files and will not delete the actual files or the paths to them from your new operating system.
+
+**Important**
+Using the **/c** option will force the Loadstate tool to continue applying files when non-fatal errors occur. If you use the **/c** option, you should verify that no errors are reported in the logs before deleting the hard-link migration store in order to avoid data loss.
+
+
+
+Keeping the hard-link migration store can result in additional disk space being consumed or problems with some applications for the following reasons:
+
+- Applications reporting file-system statistics, for example, space used and free space, might incorrectly report these statistics while the hard-link migration store is present. The file may be reported twice because of the two paths that reference that file.
+
+- A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that was not used to open the file in this application will continue to refer to the unmodified file. The unmodified file that is not in use is taking up additional disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you are migrating the latest versions of all files.
+
+- Editing the file by using different paths simultaneously may result in data corruption.
+
+**Important**
+The read-only file attribute on migrated files is lost when the hard-link migration store is deleted. This is due to a limitation in NTFS file system hard links.
+
+
+
+## Hard-Link Migration Scenario
+
+
+For example, a company has decided to deploy Windows 10 on all of their computers. Each employee will keep the same computer, but the operating system on each computer will be updated.
+
+1. An administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink** command-line option. The ScanState tool saves the user state to a hard-link migration store on each computer, improving performance by reducing file duplication, except in certain specific instances.
+
+ **Note**
+ As a best practice, we recommend that you do not create your hard-link migration store until just before you perform the migration in order to migrate the latest versions of your files. You should not use your software applications on the computer after creating the migration store until you have finished migrating your files with Loadstate.
+
+
+
+2. On each computer, an administrator installs the company's standard operating environment (SOE), which includes Windows 7 and other applications the company currently uses.
+
+3. An administrator runs the LoadState command-line tool on each computer. The LoadState tool restores user state back on each computer.
+
+## Hard-Link Migration Store Details
+
+
+This section provides details about hard-link migration stores.
+
+### Hard Disk Space
+
+The **/hardlink** command-line option proceeds with creating the migration store only if there is 250 megabytes (MB) of free space on the hard disk. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless on the size of the migration.
+
+### Hard-Link Store Size Estimation
+
+It is not necessary to estimate the size of a hard-link migration store. Estimating the size of a migration store is only useful in scenarios where the migration store is very large, and on NTFS volumes the hard-link migration store will require much less incremental space than other store options. The only case where the local store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. Since NTFS has been the default file system format for Windows XP and newer operating systems, this situation is unusual.
+
+### Migration Store Path on Multiple Volumes
+
+Separate hard-link migration stores are created on each NTFS volume that contain data being migrated. In this scenario, the primary migration-store location will be specified on the command line, and should be the operating-system volume. Migration stores with identical names and directory names will be created on every volume containing data being migrated. For example:
+
+`Scanstate /hardlink c:\USMTMIG […]`
+
+Running this command on a system that contains the operating system on the C: drive and the user data on the D: drive will generate migration stores in the following locations, assuming that both drives are NTFS:
+
+C:\\USMTMIG\\
+
+D:\\USMTMIG\\
+
+The drive you specify on the command line for the hard-link migration store is important, because it defines where the *master migration store* should be placed. The *master migration store* is the location where data migrating from non-NTFS volumes is stored. This volume must have enough space to contain all of the data that comes from non-NTFS volumes. As in other scenarios, if a migration store already exists at the specified path, the **/o** option must be used to overwrite the existing data in the store.
+
+### Location Modifications
+
+Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes.
+
+### Migrating Encrypting File System (EFS) Certificates and Files
+
+To migrate Encrypting File System (EFS) files to a new installation of an operating system on the same volume of the computer, specify the **/efs:hardlink** option in the Scanstate command-line syntax.
+
+If the EFS files are being restored to a different partition, you should use the **/efs:copyraw** option instead of the **/efs:hardlink** option. Hard links can only be created for files on the same volume. Moving the files to another partition during the migration requires a copy of the files to be created on the new partition. The **/efs:copyraw** option will copy the files to the new partition in encrypted format.
+
+For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md) and the Encrypted File Options in [ScanState Syntax](usmt-scanstate-syntax.md).
+
+### Migrating Locked Files with the Hard-Link Migration Store
+
+Files that are locked by an application or the operating system are handled differently when using a hard-link migration store.
+
+Files that are locked by the operating system cannot remain in place and must be copied into the hard-link migration store. As a result, selecting many operating-system files for migration significantly reduces performance during a hard-link migration. As a best practice, we recommend that you do not migrate any files out of the \\Windows directory, which minimizes performance-related issues.
+
+Files that are locked by an application are treated the same in hard-link migrations as in other scenarios when the volume shadow-copy service is not being utilized. The volume shadow-copy service cannot be used in conjunction with hard-link migrations. However, by modifying the new **<HardLinkStoreControl>** section in the Config.xml file, it is possible to enable the migration of files locked by an application.
+
+**Important**
+There are some scenarios in which modifying the **<HardLinkStoreControl>** section in the Config.xml file makes it more difficult to delete a hard-link migration store. In these scenarios, you must use USMTutils.exe to schedule the migration store for deletion on the next restart.
+
+
+
+## XML Elements in the Config.xml File
+
+
+A new section in the Config.xml file allows optional configuration of some of the hard-link migration behavior introduced with the **/HardLink** option.
+
+
+
+
+
+
+
+
+
<Policies>
+
This element contains elements that describe the policies that USMT follows while creating a migration store.
+
+
+
<HardLinkStoreControl>
+
This element contains elements that describe how to handle files during the creation of a hard link migration store.
+
+
+
<fileLocked>
+
This element contains elements that describe how to handle files that are locked for editing.
+
+
+
<createHardLink>
+
This element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application.
This element defines a standard MigXML pattern that describes file paths where hard links should not be created, if the file is locked for editing by another application.
+
<errorHardLink> [pattern] </errorHardLink>
+
+
+
+
+
+
+**Important**
+You must use the **/nocompress** option with the **/HardLink** option.
+
+
+
+The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use<createhardlink>** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
+
+``` xml
+
+
+
+ c:\Users\* [*]
+ C:\* [*]
+
+
+
+```
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md
index 10f0cf2676..c594b6ea7d 100644
--- a/windows/deployment/usmt/usmt-include-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-include-files-and-settings.md
@@ -1,226 +1,227 @@
----
-title: Include Files and Settings (Windows 10)
-description: Include Files and Settings
-ms.assetid: 9009c6a5-0612-4478-8742-abe5eb6cbac8
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Include Files and Settings
-
-
-When you specify the migration .xml files, User State Migration Tool (USMT) 10.0 migrates the settings and components specified in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) To include additional files and settings, we recommend that you create a custom .xml file and then include this file when using both the ScanState and LoadState commands. By creating a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
-
-In this topic:
-
-[Migrate a Single Registry Key](#bkmk-migsingleregkey)
-
-[Migrate a Specific Folder](#bkmk-migspecificfolder)
-
-[Migrate a Folder from a Specific Drive](#bkmk-migfoldspecdrive)
-
-[Migrate a Folder from Any Location](#bkmk-migfolderanyloc)
-
-[Migrate a File Type Into a Specific Folder](#bkmk-migfiletypetospecificfolder)
-
-[Migrate a Specific File](#bkmk-migspecificfile)
-
-## Migrate a Single Registry Key
-
-
-The following .xml file migrates a single registry key.
-
-``` syntax
-
-
- Component to migrate only registry value string
-
-
-
-
- HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]
-
-
-
-
-
-
-```
-
-## Migrate a Specific Folder
-
-
-The following examples show how to migrate a folder from a specific drive, and from any location on the computer.
-
-### Migrate a Folder from a Specific Drive
-
-- **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer.
-
- ``` syntax
-
-
- Component to migrate all Engineering Drafts Documents including subfolders
-
-
-
-
- C:\EngineeringDrafts\* [*]
-
-
-
-
-
-
- ```
-
-- **Excluding subfolders.** The following .xml file migrates all files from C:\\EngineeringDrafts, but it does not migrate any subfolders within C:\\EngineeringDrafts.
-
- ``` syntax
-
-
- Component to migrate all Engineering Drafts Documents without subfolders
-
-
-
-
- C:\EngineeringDrafts\ [*]
-
-
-
-
-
-
- ```
-
-### Migrate a Folder from Any Location
-
-The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated.
-
-``` syntax
-
-
- Component to migrate all Engineering Drafts Documents folder on any drive on the computer
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any location on the C:\\ drive. If multiple folders exist with the same name, they are all migrated.
-
-``` syntax
-
-
- Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive
-
-
-
-
- C:\*\EngineeringDrafts\* [*]
- C:\EngineeringDrafts\* [*]
-
-
-
-
-
-
-```
-
-## Migrate a File Type Into a Specific Folder
-
-
-The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer.
-
-``` syntax
-
-
- All .mp3 files to My Documents
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Migrate a Specific File
-
-
-The following examples show how to migrate a file from a specific folder, and how to migrate a file from any location.
-
-- **To migrate a file from a folder.** The following .xml file migrates only the Sample.doc file from C:\\EngineeringDrafts on the source computer to the destination computer.
-
- ``` syntax
-
-
- Component to migrate all Engineering Drafts Documents
-
-
-
-
- C:\EngineeringDrafts\ [Sample.doc]
-
-
-
-
-
-
- ```
-
-- **To migrate a file from any location.** To migrate the Sample.doc file from any location on the C:\\ drive, use the <pattern> element, as the following example shows. If multiple files exist with the same name on the C:\\ drive, all of files with this name are migrated.
-
- ``` syntax
- C:\* [Sample.doc]
- ```
-
- To migrate the Sample.doc file from any drive on the computer, use <script> as the following example shows. If multiple files exist with the same name, all files with this name are migrated.
-
- ``` syntax
-
- ```
-
-## Related topics
-
-
-[Customize USMT XML Files](usmt-customize-xml-files.md)
-
-[Custom XML Examples](usmt-custom-xml-examples.md)
-
-[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Include Files and Settings (Windows 10)
+description: Include Files and Settings
+ms.assetid: 9009c6a5-0612-4478-8742-abe5eb6cbac8
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Include Files and Settings
+
+
+When you specify the migration .xml files, User State Migration Tool (USMT) 10.0 migrates the settings and components specified in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) To include additional files and settings, we recommend that you create a custom .xml file and then include this file when using both the ScanState and LoadState commands. By creating a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
+
+In this topic:
+
+[Migrate a Single Registry Key](#bkmk-migsingleregkey)
+
+[Migrate a Specific Folder](#bkmk-migspecificfolder)
+
+[Migrate a Folder from a Specific Drive](#bkmk-migfoldspecdrive)
+
+[Migrate a Folder from Any Location](#bkmk-migfolderanyloc)
+
+[Migrate a File Type Into a Specific Folder](#bkmk-migfiletypetospecificfolder)
+
+[Migrate a Specific File](#bkmk-migspecificfile)
+
+## Migrate a Single Registry Key
+
+
+The following .xml file migrates a single registry key.
+
+``` xml
+
+
+ Component to migrate only registry value string
+
+
+
+
+ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]
+
+
+
+
+
+
+```
+
+## Migrate a Specific Folder
+
+
+The following examples show how to migrate a folder from a specific drive, and from any location on the computer.
+
+### Migrate a Folder from a Specific Drive
+
+- **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer.
+
+ ``` xml
+
+
+ Component to migrate all Engineering Drafts Documents including subfolders
+
+
+
+
+ C:\EngineeringDrafts\* [*]
+
+
+
+
+
+
+ ```
+
+- **Excluding subfolders.** The following .xml file migrates all files from C:\\EngineeringDrafts, but it does not migrate any subfolders within C:\\EngineeringDrafts.
+
+ ``` xml
+
+
+ Component to migrate all Engineering Drafts Documents without subfolders
+
+
+
+
+ C:\EngineeringDrafts\ [*]
+
+
+
+
+
+
+ ```
+
+### Migrate a Folder from Any Location
+
+The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated.
+
+``` xml
+
+
+ Component to migrate all Engineering Drafts Documents folder on any drive on the computer
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any location on the C:\\ drive. If multiple folders exist with the same name, they are all migrated.
+
+``` xml
+
+
+ Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive
+
+
+
+
+ C:\*\EngineeringDrafts\* [*]
+ C:\EngineeringDrafts\* [*]
+
+
+
+
+
+
+```
+
+## Migrate a File Type Into a Specific Folder
+
+
+The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer.
+
+``` xml
+
+
+ All .mp3 files to My Documents
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Migrate a Specific File
+
+
+The following examples show how to migrate a file from a specific folder, and how to migrate a file from any location.
+
+- **To migrate a file from a folder.** The following .xml file migrates only the Sample.doc file from C:\\EngineeringDrafts on the source computer to the destination computer.
+
+ ``` xml
+
+
+ Component to migrate all Engineering Drafts Documents
+
+
+
+
+ C:\EngineeringDrafts\ [Sample.doc]
+
+
+
+
+
+
+ ```
+
+- **To migrate a file from any location.** To migrate the Sample.doc file from any location on the C:\\ drive, use the <pattern> element, as the following example shows. If multiple files exist with the same name on the C:\\ drive, all of files with this name are migrated.
+
+ ``` xml
+ C:\* [Sample.doc]
+ ```
+
+ To migrate the Sample.doc file from any drive on the computer, use <script> as the following example shows. If multiple files exist with the same name, all files with this name are migrated.
+
+ ``` xml
+
+ ```
+
+## Related topics
+
+
+[Customize USMT XML Files](usmt-customize-xml-files.md)
+
+[Custom XML Examples](usmt-custom-xml-examples.md)
+
+[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index 6e7a2e5a39..d9917d3495 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -1,493 +1,494 @@
----
-title: Log Files (Windows 10)
-description: Log Files
-ms.assetid: 28185ebd-630a-4bbd-94f4-8c48aad05649
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Log Files
-
-
-You can use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations. This topic describes the available command-line options to enable USMT logs, and new XML elements that configure which types of errors are fatal and should halt the migration, which types are non-fatal and should be skipped so that the migration can continue.
-
-[Log Command-Line Options](#bkmk-commandlineoptions)
-
-[ScanState and LoadState Logs](#bkmk-scanloadstatelogs)
-
-[Progress Log](#bkmk-progresslog)
-
-[List Files Log](#bkmk-listfileslog)
-
-[Diagnostic Log](#bkmk-diagnosticlog)
-
-## Log Command-Line Options
-
-
-The following table describes each command-line option related to logs, and it provides the log name and a description of what type of information each log contains.
-
-
-
-
-
-
-
-
-
-
Command line Option
-
File Name
-
Description
-
-
-
-
-
/l[Path]FileName
-
Scanstate.log or LoadState.log
-
Specifies the path and file name of the ScanState.log or LoadState log.
-
-
-
/progress[Path]FileName
-
Specifies the path and file name of the Progress log.
-
Provides information about the status of the migration, by percentage complete.
Specifies the path and file name of the Listfiles log.
-
Provides a list of the files that were migrated.
-
-
-
Set the environment variable MIG_ENABLE_DIAG to a path to an XML file.
-
USMTDiag.xml
-
The diagnostic log contains detailed system environment information, user environment information, and information about the migration units (migunits) being gathered and their contents.
-
-
-
-
-
-
-**Note**
-You cannot store any of the log files in *StorePath*. If you do, the log will be overwritten when USMT is run.
-
-
-
-## ScanState and LoadState Logs
-
-
-ScanState and LoadState logs are text files that are create when you run the ScanState and LoadState tools. You can use these logs to help monitor your migration. The content of the log depends on the command-line options that you use and the verbosity level that you specify. For more information about verbosity levels, see Monitoring Options in [ScanState Syntax](usmt-scanstate-syntax.md).
-
-## Progress Log
-
-
-You can create a progress log using the **/progress** option. External tools, such as Microsoft System Center Operations Manager 2007, can parse the progress log to update your monitoring systems. The first three fields in each line are fixed as follows:
-
-- **Date:** Date, in the format of *day* *shortNameOfTheMonth* *year*. For example: 08 Jun 2006.
-
-- **Local time:** Time, in the format of *hrs*:*minutes*:*seconds* (using a 24-hour clock). For example: 13:49:13.
-
-- **Migration time:** Duration of time that USMT was run, in the format of *hrs:minutes:seconds*. For example: 00:00:10.
-
-The remaining fields are key/value pairs as indicated in the following table.
-
-
-
-
-
-
-
-
-
Key
-
Value
-
-
-
-
-
program
-
ScanState.exe or LoadState.exe.
-
-
-
productVersion
-
The full product version number of USMT.
-
-
-
computerName
-
The name of the source or destination computer on which USMT was run.
-
-
-
commandLine
-
The full command used to run USMT.
-
-
-
PHASE
-
Reports that a new phase in the migration is starting. This can be one of the following:
-
-
Initializing
-
Scanning
-
Collecting
-
Saving
-
Estimating
-
Applying
-
-
-
-
detectedUser
-
-
For the ScanState tool, these are the users USMT detected on the source computer that can be migrated.
-
For the LoadState tool, these are the users USMT detected in the store that can be migrated.
-
-
-
-
includedInMigration
-
Defines whether the user profile/component is included for migration. Valid values are Yes or No.
-
-
-
forUser
-
Specifies either of the following:
-
-
The user state being migrated.
-
This Computer, meaning files and settings that are not associated with a user.
-
-
-
-
detectedComponent
-
Specifies a component detected by USMT.
-
-
For ScanState, this is a component or application that is installed on the source computer.
-
For LoadState, this is a component or application that was detected in the store.
-
-
-
-
totalSizeInMBToTransfer
-
Total size of the files and settings to migrate in megabytes (MB).
-
-
-
totalPercentageCompleted
-
Total percentage of the migration that has been completed by either ScanState or LoadState.
-
-
-
collectingUser
-
Specifies which user ScanState is collecting files and settings for.
-
-
-
totalMinutesRemaining
-
Time estimate, in minutes, for the migration to complete.
-
-
-
error
-
Type of non-fatal error that occurred. This can be one of the following:
-
-
UnableToCopy: Unable to copy to store because the disk on which the store is located is full.
-
UnableToOpen: Unable to open the file for migration because the file is opened in non-shared mode by another application or service.
-
UnableToCopyCatalog: Unable to copy because the store is corrupted.
-
UnableToAccessDevice: Unable to access the device.
-
UnableToApply: Unable to apply the setting to the destination computer.
-
-
-
-
objectName
-
The name of the file or setting that caused the non-fatal error.
-
-
-
action
-
Action taken by USMT for the non-fatal error. The values are:
-
-
Ignore: Non-fatal error ignored and the migration continued because the /c option was specified on the command line.
-
Abort: Stopped the migration because the /c option was not specified.
-
-
-
-
errorCode
-
The errorCode or return value.
-
-
-
numberOfIgnoredErrors
-
The total number of non-fatal errors that USMT ignored.
-
-
-
message
-
The message corresponding to the errorCode.
-
-
-
-
-
-
-## List Files Log
-
-
-The List files log (Listfiles.txt) provides a list of the files that were migrated. This list can be used to troubleshoot XML issues or can be retained as a record of the files that were gathered into the migration store. The List Files log is only available for ScanState.exe.
-
-## Diagnostic Log
-
-
-You can obtain the diagnostic log by setting the environment variable MIG\_ENABLE\_DIAG to a path to an XML file.
-
-The diagnostic log contains:
-
-- Detailed system environment information
-
-- Detailed user environment information
-
-- Information about the migration units (migunits) being gathered and their contents
-
-## Using the Diagnostic Log
-
-
-The diagnostic log is essentially a report of all the migration units (migunits) included in the migration. A migunit is a collection of data that is identified by the component it is associated with in the XML files. The migration store is made up of all the migunits in the migration. The diagnostic log can be used to verify which migunits were included in the migration and can be used for troubleshooting while authoring migration XML files.
-
-The following examples describe common scenarios in which you can use the diagnostic log.
-
-**Why is this file not migrating when I authored an "include" rule for it?**
-
-Let’s imagine that we have the following directory structure and that we want the “data” directory to be included in the migration along with the “New Text Document.txt” file in the “New Folder.” The directory of **C:\\data** contains:
-
-``` syntax
-01/21/2009 10:08 PM .
-01/21/2009 10:08 PM ..
-01/21/2009 10:08 PM New Folder
-01/21/2009 09:19 PM 13 test (1).txt
-01/21/2009 09:19 PM 13 test.txt
- 2 File(s) 26 bytes
-```
-
-The directory of **C:\\data\\New Folder** contains:
-
-``` syntax
-01/21/2009 10:08 PM .
-01/21/2009 10:08 PM ..
-01/21/2009 10:08 PM 0 New Text Document.txt
- 1 File(s) 0 bytes
-```
-
-To migrate these files you author the following migration XML:
-
-```xml
-
-
-
-
- DATA1
-
-
-
-
- c:\data\ [*]
-
-
-
-
-
-
-
-```
-
-However, upon testing the migration you notice that the “New Text Document.txt” file isn’t included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered:
-
-``` syntax
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-Analysis of this XML section reveals the migunit that was created when the migration rule was processed. The <Perform> section details the actual files that were scheduled for gathering and the result of the gathering operation. The “New Text Document.txt” file doesn’t appear in this section, which confirms that the migration rule was not correctly authored.
-
-An analysis of the XML elements reference topic reveals that the <pattern> tag needs to be modified as follows:
-
-``` syntax
-c:\data\* [*]
-```
-
-When the migration is preformed again with the modified tag, the diagnostic log reveals the following:
-
-``` syntax
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-This diagnostic log confirms that the modified <pattern> value enables the migration of the file.
-
-**Why is this file migrating when I authored an exclude rule excluding it?**
-
-In this scenario, you have the following directory structure and you want all files in the “data” directory to migrate, except for text files. The **C:\\Data** folder contains:
-
-``` syntax
-Directory of C:\Data
-
-01/21/2009 10:08 PM .
-01/21/2009 10:08 PM ..
-01/21/2009 10:08 PM New Folder
-01/21/2009 09:19 PM 13 test (1).txt
-01/21/2009 09:19 PM 13 test.txt
- 2 File(s) 26 bytes
-```
-
-The **C:\\Data\\New Folder\\** contains:
-
-``` syntax
-01/21/2009 10:08 PM .
-01/21/2009 10:08 PM ..
-01/21/2009 10:08 PM 0 New Text Document.txt
- 1 File(s) 0 bytes
-```
-
-You author the following migration XML:
-
-```xml
-
-
-
-
- DATA1
-
-
-
-
- c:\data\* [*]
-
-
-
-
-
-
- c:\* [*.txt]
-
-
-
-
-
-
-```
-
-However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered:
-
-``` syntax
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-Upon reviewing the diagnostic log, you confirm that the files are still migrating, and that it is a problem with the authored migration XML rule. You author an update to the migration XML script as follows:
-
-```xml
-
-
-
-
- DATA1
-
-
-
-
- c:\data\* [*]
-
-
-
-
-
-
- c:\data\* [*.txt]
-
-
-
-
-
-
-
-
-
-```
-
-Your revised migration XML script excludes the files from migrating, as confirmed in the diagnostic log:
-
-``` syntax
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Related topics
-
-
-[XML Elements Library](usmt-xml-elements-library.md)
-
-[ScanState Syntax](usmt-scanstate-syntax.md)
-
-[LoadState Syntax](usmt-loadstate-syntax.md)
-
-
-
-
-
-
-
-
-
+---
+title: Log Files (Windows 10)
+description: Log Files
+ms.assetid: 28185ebd-630a-4bbd-94f4-8c48aad05649
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Log Files
+
+
+You can use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations. This topic describes the available command-line options to enable USMT logs, and new XML elements that configure which types of errors are fatal and should halt the migration, which types are non-fatal and should be skipped so that the migration can continue.
+
+[Log Command-Line Options](#bkmk-commandlineoptions)
+
+[ScanState and LoadState Logs](#bkmk-scanloadstatelogs)
+
+[Progress Log](#bkmk-progresslog)
+
+[List Files Log](#bkmk-listfileslog)
+
+[Diagnostic Log](#bkmk-diagnosticlog)
+
+## Log Command-Line Options
+
+
+The following table describes each command-line option related to logs, and it provides the log name and a description of what type of information each log contains.
+
+
+
+
+
+
+
+
+
+
Command line Option
+
File Name
+
Description
+
+
+
+
+
/l[Path]FileName
+
Scanstate.log or LoadState.log
+
Specifies the path and file name of the ScanState.log or LoadState log.
+
+
+
/progress[Path]FileName
+
Specifies the path and file name of the Progress log.
+
Provides information about the status of the migration, by percentage complete.
Specifies the path and file name of the Listfiles log.
+
Provides a list of the files that were migrated.
+
+
+
Set the environment variable MIG_ENABLE_DIAG to a path to an XML file.
+
USMTDiag.xml
+
The diagnostic log contains detailed system environment information, user environment information, and information about the migration units (migunits) being gathered and their contents.
+
+
+
+
+
+
+**Note**
+You cannot store any of the log files in *StorePath*. If you do, the log will be overwritten when USMT is run.
+
+
+
+## ScanState and LoadState Logs
+
+
+ScanState and LoadState logs are text files that are create when you run the ScanState and LoadState tools. You can use these logs to help monitor your migration. The content of the log depends on the command-line options that you use and the verbosity level that you specify. For more information about verbosity levels, see Monitoring Options in [ScanState Syntax](usmt-scanstate-syntax.md).
+
+## Progress Log
+
+
+You can create a progress log using the **/progress** option. External tools, such as Microsoft System Center Operations Manager 2007, can parse the progress log to update your monitoring systems. The first three fields in each line are fixed as follows:
+
+- **Date:** Date, in the format of *day* *shortNameOfTheMonth* *year*. For example: 08 Jun 2006.
+
+- **Local time:** Time, in the format of *hrs*:*minutes*:*seconds* (using a 24-hour clock). For example: 13:49:13.
+
+- **Migration time:** Duration of time that USMT was run, in the format of *hrs:minutes:seconds*. For example: 00:00:10.
+
+The remaining fields are key/value pairs as indicated in the following table.
+
+
+
+
+
+
+
+
+
Key
+
Value
+
+
+
+
+
program
+
ScanState.exe or LoadState.exe.
+
+
+
productVersion
+
The full product version number of USMT.
+
+
+
computerName
+
The name of the source or destination computer on which USMT was run.
+
+
+
commandLine
+
The full command used to run USMT.
+
+
+
PHASE
+
Reports that a new phase in the migration is starting. This can be one of the following:
+
+
Initializing
+
Scanning
+
Collecting
+
Saving
+
Estimating
+
Applying
+
+
+
+
detectedUser
+
+
For the ScanState tool, these are the users USMT detected on the source computer that can be migrated.
+
For the LoadState tool, these are the users USMT detected in the store that can be migrated.
+
+
+
+
includedInMigration
+
Defines whether the user profile/component is included for migration. Valid values are Yes or No.
+
+
+
forUser
+
Specifies either of the following:
+
+
The user state being migrated.
+
This Computer, meaning files and settings that are not associated with a user.
+
+
+
+
detectedComponent
+
Specifies a component detected by USMT.
+
+
For ScanState, this is a component or application that is installed on the source computer.
+
For LoadState, this is a component or application that was detected in the store.
+
+
+
+
totalSizeInMBToTransfer
+
Total size of the files and settings to migrate in megabytes (MB).
+
+
+
totalPercentageCompleted
+
Total percentage of the migration that has been completed by either ScanState or LoadState.
+
+
+
collectingUser
+
Specifies which user ScanState is collecting files and settings for.
+
+
+
totalMinutesRemaining
+
Time estimate, in minutes, for the migration to complete.
+
+
+
error
+
Type of non-fatal error that occurred. This can be one of the following:
+
+
UnableToCopy: Unable to copy to store because the disk on which the store is located is full.
+
UnableToOpen: Unable to open the file for migration because the file is opened in non-shared mode by another application or service.
+
UnableToCopyCatalog: Unable to copy because the store is corrupted.
+
UnableToAccessDevice: Unable to access the device.
+
UnableToApply: Unable to apply the setting to the destination computer.
+
+
+
+
objectName
+
The name of the file or setting that caused the non-fatal error.
+
+
+
action
+
Action taken by USMT for the non-fatal error. The values are:
+
+
Ignore: Non-fatal error ignored and the migration continued because the /c option was specified on the command line.
+
Abort: Stopped the migration because the /c option was not specified.
+
+
+
+
errorCode
+
The errorCode or return value.
+
+
+
numberOfIgnoredErrors
+
The total number of non-fatal errors that USMT ignored.
+
+
+
message
+
The message corresponding to the errorCode.
+
+
+
+
+
+
+## List Files Log
+
+
+The List files log (Listfiles.txt) provides a list of the files that were migrated. This list can be used to troubleshoot XML issues or can be retained as a record of the files that were gathered into the migration store. The List Files log is only available for ScanState.exe.
+
+## Diagnostic Log
+
+
+You can obtain the diagnostic log by setting the environment variable MIG\_ENABLE\_DIAG to a path to an XML file.
+
+The diagnostic log contains:
+
+- Detailed system environment information
+
+- Detailed user environment information
+
+- Information about the migration units (migunits) being gathered and their contents
+
+## Using the Diagnostic Log
+
+
+The diagnostic log is essentially a report of all the migration units (migunits) included in the migration. A migunit is a collection of data that is identified by the component it is associated with in the XML files. The migration store is made up of all the migunits in the migration. The diagnostic log can be used to verify which migunits were included in the migration and can be used for troubleshooting while authoring migration XML files.
+
+The following examples describe common scenarios in which you can use the diagnostic log.
+
+**Why is this file not migrating when I authored an "include" rule for it?**
+
+Let’s imagine that we have the following directory structure and that we want the “data” directory to be included in the migration along with the “New Text Document.txt” file in the “New Folder.” The directory of **C:\\data** contains:
+
+```
+01/21/2009 10:08 PM .
+01/21/2009 10:08 PM ..
+01/21/2009 10:08 PM New Folder
+01/21/2009 09:19 PM 13 test (1).txt
+01/21/2009 09:19 PM 13 test.txt
+ 2 File(s) 26 bytes
+```
+
+The directory of **C:\\data\\New Folder** contains:
+
+```
+01/21/2009 10:08 PM .
+01/21/2009 10:08 PM ..
+01/21/2009 10:08 PM 0 New Text Document.txt
+ 1 File(s) 0 bytes
+```
+
+To migrate these files you author the following migration XML:
+
+```xml
+
+
+
+
+ DATA1
+
+
+
+
+ c:\data\ [*]
+
+
+
+
+
+
+
+```
+
+However, upon testing the migration you notice that the “New Text Document.txt” file isn’t included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered:
+
+``` xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+Analysis of this XML section reveals the migunit that was created when the migration rule was processed. The <Perform> section details the actual files that were scheduled for gathering and the result of the gathering operation. The “New Text Document.txt” file doesn’t appear in this section, which confirms that the migration rule was not correctly authored.
+
+An analysis of the XML elements reference topic reveals that the <pattern> tag needs to be modified as follows:
+
+``` xml
+c:\data\* [*]
+```
+
+When the migration is preformed again with the modified tag, the diagnostic log reveals the following:
+
+``` xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+This diagnostic log confirms that the modified <pattern> value enables the migration of the file.
+
+**Why is this file migrating when I authored an exclude rule excluding it?**
+
+In this scenario, you have the following directory structure and you want all files in the “data” directory to migrate, except for text files. The **C:\\Data** folder contains:
+
+```
+Directory of C:\Data
+
+01/21/2009 10:08 PM .
+01/21/2009 10:08 PM ..
+01/21/2009 10:08 PM New Folder
+01/21/2009 09:19 PM 13 test (1).txt
+01/21/2009 09:19 PM 13 test.txt
+ 2 File(s) 26 bytes
+```
+
+The **C:\\Data\\New Folder\\** contains:
+
+```
+01/21/2009 10:08 PM .
+01/21/2009 10:08 PM ..
+01/21/2009 10:08 PM 0 New Text Document.txt
+ 1 File(s) 0 bytes
+```
+
+You author the following migration XML:
+
+```xml
+
+
+
+
+ DATA1
+
+
+
+
+ c:\data\* [*]
+
+
+
+
+
+
+ c:\* [*.txt]
+
+
+
+
+
+
+```
+
+However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered:
+
+``` xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+Upon reviewing the diagnostic log, you confirm that the files are still migrating, and that it is a problem with the authored migration XML rule. You author an update to the migration XML script as follows:
+
+```xml
+
+
+
+
+ DATA1
+
+
+
+
+ c:\data\* [*]
+
+
+
+
+
+
+ c:\data\* [*.txt]
+
+
+
+
+
+
+
+
+
+```
+
+Your revised migration XML script excludes the files from migrating, as confirmed in the diagnostic log:
+
+``` xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Related topics
+
+
+[XML Elements Library](usmt-xml-elements-library.md)
+
+[ScanState Syntax](usmt-scanstate-syntax.md)
+
+[LoadState Syntax](usmt-loadstate-syntax.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index 59ce16d8ed..22f64e513e 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -1,129 +1,130 @@
----
-title: Reroute Files and Settings (Windows 10)
-description: Reroute Files and Settings
-ms.assetid: 905e6a24-922c-4549-9732-60fa11862a6c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Reroute Files and Settings
-
-
-To reroute files and settings, create a custom .xml file and specify this file name on both the ScanState and LoadState commandlines. This enables you to keep your changes separate from the default .xml files, so that it is easier to track your modifications.
-
-In this topic:
-
-- [Reroute a Folder](#bkmk-reroutefolder)
-
-- [Reroute a Specific File Type](#bkmk-reroutespecfiletype)
-
-- [Reroute a Specific File](#bkmk-reroutespecificfile)
-
-## Reroute a Folder
-
-
-The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS.
-
-``` syntax
-
-
- Engineering Drafts Documents to Personal Folder
-
-
-
-
-
- C:\EngineeringDrafts\* [*]
-
-
-
-
-
- C:\EngineeringDrafts\* [*]
-
-
-
-
-
-
-```
-
-## Reroute a Specific File Type
-
-
-The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer.
-
-``` syntax
-
-
- All .mp3 files to My Documents
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Reroute a Specific File
-
-
-The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS.
-
-``` syntax
-
-
-Sample.doc into My Documents
-
-
-
-
- C:\EngineeringDrafts\ [Sample.doc]
-
-
-
-
- C:\EngineeringDrafts\ [Sample.doc]
-
-
-
-
-
-
-```
-
-## Related topics
-
-
-[Customize USMT XML Files](usmt-customize-xml-files.md)
-
-[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Reroute Files and Settings (Windows 10)
+description: Reroute Files and Settings
+ms.assetid: 905e6a24-922c-4549-9732-60fa11862a6c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Reroute Files and Settings
+
+
+To reroute files and settings, create a custom .xml file and specify this file name on both the ScanState and LoadState commandlines. This enables you to keep your changes separate from the default .xml files, so that it is easier to track your modifications.
+
+In this topic:
+
+- [Reroute a Folder](#bkmk-reroutefolder)
+
+- [Reroute a Specific File Type](#bkmk-reroutespecfiletype)
+
+- [Reroute a Specific File](#bkmk-reroutespecificfile)
+
+## Reroute a Folder
+
+
+The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS.
+
+``` xml
+
+
+ Engineering Drafts Documents to Personal Folder
+
+
+
+
+
+ C:\EngineeringDrafts\* [*]
+
+
+
+
+
+ C:\EngineeringDrafts\* [*]
+
+
+
+
+
+
+```
+
+## Reroute a Specific File Type
+
+
+The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer.
+
+``` xml
+
+
+ All .mp3 files to My Documents
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Reroute a Specific File
+
+
+The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS.
+
+``` xml
+
+
+Sample.doc into My Documents
+
+
+
+
+ C:\EngineeringDrafts\ [Sample.doc]
+
+
+
+
+ C:\EngineeringDrafts\ [Sample.doc]
+
+
+
+
+
+
+```
+
+## Related topics
+
+
+[Customize USMT XML Files](usmt-customize-xml-files.md)
+
+[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index 54f36c31ff..bfbd4e2c61 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -1,4263 +1,4264 @@
----
-title: XML Elements Library (Windows 10)
-description: XML Elements Library
-ms.assetid: f5af0f6d-c3bf-4a4c-a0ca-9db7985f954f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# XML Elements Library
-
-
-## Overview
-
-
-This topic describes the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT). It is assumed that you understand the basics of XML. .
-
-## In This Topic
-
-
-In addition to XML elements and helper functions, this topic describes how to specify encoded locations and locations patterns, functions that are for internal USMT use only, and the version tags that you can use with helper functions.
-
-- [Elements and helper functions](#elements)
-
-- [Appendix](#appendix)
-
- - [Specifying locations](#locations)
-
- - [Internal USMT functions](#internalusmtfunctions)
-
- - [Valid version tags](#allowed)
-
-## Elements and Helper Functions
-
-
-The following table describes the XML elements and helper functions you can use with USMT.
-
-
-
-
-
-## <addObjects>
-
-
-The <addObjects> element emulates the existence of one or more objects on the source computer. The child <object> elements provide the details of the emulated objects. If the content is a <script> element, the result of the invocation will be an array of objects.
-
-- **Number of occurrences:** unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Required child elements:** [<object>](#object) In addition, you must specify [<location>](#location) and [<attribute>](#attribute) as child elements of this <object> element.
-
-- **Optional child elements:**[<conditions>](#conditions), <condition>, [<script>](#script)
-
-Syntax:
-
-<addObjects>
-
-</addObjects>
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
-
-
-```
-
-## <attributes>
-
-
-The <attributes> element defines the attributes for a registry key or file.
-
-- **Number of occurrences:** once for each <object>
-
-- **Parent elements:**[<object>](#object)
-
-- **Child elements:** none
-
-Syntax:
-
-<attributes>*Content*</attributes>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
Content
-
Yes
-
The content depends on the type of object specified.
-
-
For files, the content can be a string containing any of the following attributes separated by commas:
-
-
Archive
-
Read-only
-
System
-
Hidden
-
-
For registry keys, the content can be one of the following types:
-
-
None
-
String
-
ExpandString
-
Binary
-
Dword
-
REG_SZ
-
-
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-```
-
-## <bytes>
-
-
-You must specify the <bytes> element only for files because, if <location> corresponds to a registry key or a directory, then <bytes> will be ignored.
-
-- **Number of occurrences:** zero or one
-
-- **Parent elements:**[<object>](#object)
-
-- **Child elements:** none
-
-Syntax:
-
-<bytes string="Yes|No" expand="Yes|No">*Content*</bytes>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
string
-
No, default is No
-
Determines whether Content should be interpreted as a string or as bytes.
-
-
-
expand
-
No (default = Yes
-
When the expand parameter is Yes, the content of the <bytes> element is first expanded in the context of the source computer and then interpreted.
-
-
-
Content
-
Yes
-
Depends on the value of the string.
-
-
When the string is Yes: the content of the <bytes> element is interpreted as a string.
-
When the string is No: the content of the <bytes> element is interpreted as bytes. Each two characters represent the hexadecimal value of a byte. For example, "616263" is the representation for the "abc" ANSI string. A complete representation of the UNICODE string "abc" including the string terminator would be: "6100620063000000".
-
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-```
-
-## <commandLine>
-
-
-You might want to use the <commandLine> element if you want to start or stop a service or application before or after you run the ScanState and LoadState tools.
-
-- **Number of occurrences:** unlimited
-
-- **Parent elements:**[<externalProcess>](#externalprocess)
-
-- **Child elements:** none****
-
-Syntax:
-
-<commandLine>*CommandLineString*</commandLine>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
CommandLineString
-
Yes
-
A valid command line.
-
-
-
-
-
-
-## <component>
-
-
-The <component> element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft® Office 2003" is a component that contains another component, "Microsoft Office Access® 2003". You can use the child elements to define the component.
-
-A component can be nested inside another component; that is, the <component> element can be a child of the <role> element within the <component> element in two cases: 1) when the parent <component> element is a container or 2) if the child <component> element has the same role as the parent <component> element.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<migration>](#migration), [<role>](#role)
-
-- **Required child elements:**[<role>](#role), [<displayName>](#displayname)
-
-- **Optional child elements:**[<manufacturer>](#manufacturer), [<version>](#version), [<description>](#description), [<paths>](#paths), [<icon>](#icon), [<environment>](#bkmk-environment), [<extensions>](#extensions)
-
-Syntax:
-
-<component type="System|Application|Device|Documents" context="User|System|UserAndSystem" defaultSupported="TRUE|FALSE|YES|NO"
-
-hidden="Yes|No">
-
-</component>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
type
-
Yes
-
You can use the following to group settings, and define the type of the component.
-
-
System: Operating system settings. All Windows® components are defined by this type.
-
When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.
-
Application: Settings for an application.
-
Device: Settings for a device.
-
Documents: Specifies files.
-
-
-
-
context
-
No
-
Default = UserAndSystem
-
Defines the scope of this parameter; that is, whether to process this component in the context of the specific user, across the entire operating system, or both.
-
The largest possible scope is set by the <component> element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it has a context of User. If a <rules> element has a context of System, it would act as though the <rules> element is not there.
-
-
User. Evaluates the component for each user.
-
System. Evaluates the component only once for the system.
-
UserAndSystem. Evaluates the component for the entire operating system and each user.
-
-
-
-
defaultSupported
-
No
-
(default = TRUE)
-
Can be any of TRUE, FALSE, YES or NO. If this parameter is FALSE (or NO), the component will not be migrated unless there is an equivalent component on the destination computer.
-
When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that are specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name or the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.
-
-
-
hidden
-
-
This parameter is for internal USMT use only.
-
-
-
-
-
-
-For an example, see any of the default migration .xml files.
-
-## <condition>
-
-
-Although the <condition> element under the <detect>, <objectSet>, and <addObjects> elements is supported, we recommend that you do not use it. This element might be deprecated in future versions of USMT, requiring you to rewrite your scripts. We recommend that, if you need to use a condition within the <objectSet> and <addObjects> elements, you use the more powerful [<conditions>](#conditions) element, which allows you to formulate complex Boolean statements.
-
-The <condition> element has a Boolean result. You can use this element to specify the conditions in which the parent element will be evaluated. If any of the present conditions return FALSE, the parent element will not be evaluated.
-
-- **Number of occurrences:** unlimited.
-
-- **Parent elements:**[<conditions>](#conditions), <detect>, <objectSet>, <addObjects>
-
-- **Child elements:** none
-
-- **Helper functions:** You can use the following [<condition> functions](#conditionfunctions) with this element: DoesOSMatch, IsNative64Bit(), IsOSLaterThan, IsOSEarlierThan, DoesObjectExist, DoesFileVersionMatch, IsFileVersionAbove, IsFileVersionBelow, IsSystemContext, DoesStringContentEqual, DoesStringContentContain, IsSameObject, IsSameContent, and IsSameStringContent.
-
-Syntax:
-
-<condition negation="Yes|No">*ScriptName*</condition>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
negation
-
No
-
Default = No
-
"Yes" reverses the True/False value of the condition.
-
-
-
ScriptName
-
Yes
-
A script that has been defined within this migration section.
-
-
-
-
-
-
-For example,
-
-In the code sample below, the <condition> elements, A and B, are joined together by the AND operator because they are in separate <conditions> sections. For example:
-
-``` syntax
-
-
- A
-
-
- B
-
-
-```
-
-However, in the code sample below, the <condition> elements, A and B, are joined together by the OR operator because they are in the same <conditions> section.
-
-``` syntax
-
-
- A
- B
-
-
-```
-
-### <condition> functions
-
-The <condition> functions return a Boolean value. You can use these elements in <addObjects> conditions.
-
-- [Operating system version functions](#operatingsystemfunctions)
-
-- [Object content functions](#objectcontentfunctions)
-
-### Operating system version functions
-
-- **DoesOSMatch**
-
- All matches are case insensitive.
-
- Syntax: DoesOSMatch("*OSType*","*OSVersion*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
OSType
-
Yes
-
The only valid value for this setting is NT. Note, however, that you must set this setting for the <condition> functions to work correctly.
-
-
-
OSVersion
-
Yes
-
The major version, minor version, build number and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version with a pattern. For example, 5.0.*.
-
-
-
-
-
-
-~~~
-For example:
-
-<condition>MigXmlHelper.DoesOSMatch("NT","\*")</condition>
-~~~
-
-- **IsNative64Bit**
-
- The IsNative64Bit function returns TRUE if the migration process is running as a native 64-bit process; that is, a process running on a 64-bit system without Windows on Windows (WOW). Otherwise, it returns FALSE.
-
-- **IsOSLaterThan**
-
- All comparisons are case insensitive.
-
- Syntax: IsOSLaterThan("*OSType*","*OSVersion*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
OSType
-
Yes
-
Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x”, the result will be FALSE.
-
-
-
OSVersion
-
Yes
-
The major version, minor version, build number, and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.
-
The IsOSLaterThan function returns TRUE if the current operating system is later than or equal to OSVersion.
-
-
-
-
-
-
-~~~
-For example:
-
-<condition negation="Yes">MigXmlHelper.IsOSLaterThan("NT","6.0")</condition>
-~~~
-
-- **IsOSEarlierThan**
-
- All comparisons are case insensitive.
-
- Syntax: IsOSEarlierThan("*OSType*","*OSVersion*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
OSType
-
Yes
-
Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x” the result will be FALSE.
-
-
-
OSVersion
-
Yes
-
The major version, minor version, build number, and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.
-
The IsOSEarlierThan function returns TRUE if the current operating system is earlier than OSVersion.
-
-
-
-
-
-
-### Object content functions
-
-- **DoesObjectExist**
-
- The DoesObjectExist function returns TRUE if any object exists that matches the location pattern. Otherwise, it returns FALSE. The location pattern is expanded before attempting the enumeration.
-
- Syntax: DoesObjectExist("*ObjectType*","*EncodedLocationPattern*")
-
-
-
-
-
-~~~
-For an example of this element, see the MigApp.xml file.
-~~~
-
-- **DoesFileVersionMatch**
-
- The pattern check is case insensitive.
-
- Syntax: DoesFileVersionMatch("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
EncodedFileLocation
-
Yes
-
The location pattern for the file that will be checked. Environment variables are allowed.
-
-
-
-~~~
-For example:
-
-<condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","6.\*")</condition>
-
-<condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","7.\*")</condition>
-~~~
-
-- **IsFileVersionAbove**
-
- The IsFileVersionAbove function returns TRUE if the version of the file is higher than *VersionValue*.
-
- Syntax: IsFileVersionAbove("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
EncodedFileLocation
-
Yes
-
The location pattern for the file that will be checked. Environment variables are allowed.
The value to compare to. You cannot specify a pattern.
-
-
-
-
-
-
-- **IsSystemContext**
-
- The IsSystemContext function returns TRUE if the current context is "System". Otherwise, it returns FALSE.
-
- Syntax: IsSystemContext()
-
-- **DoesStringContentEqual**
-
- The DoesStringContentEqual function returns TRUE if the string representation of the given object is identical to `StringContent`.
-
- Syntax: DoesStringContentEqual("*ObjectType*","*EncodedLocation*","*StringContent*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
ObjectType
-
Yes
-
Defines the type of object. Can be File or Registry.
-
-
-
EncodedLocationPattern
-
Yes
-
The encoded location for the object that will be examined. You can specify environment variables.
-
-
-
StringContent
-
Yes
-
The string that will be checked against.
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-MigXmlHelper.DoesStringContentEqual("File","%USERNAME%","")
-```
-~~~
-
-- **DoesStringContentContain**
-
- The DoesStringContentContain function returns TRUE if there is at least one occurrence of *StrToFind* in the string representation of the object.
-
- Syntax: DoesStringContentContain("*ObjectType*","*EncodedLocation*","*StrToFind*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
ObjectType
-
Yes
-
Defines the type of object. Can be File or Registry.
-
-
-
EncodedLocationPattern
-
Yes
-
The encoded location for the object that will be examined. You can specify environment variables.
-
-
-
StrToFind
-
Yes
-
A string that will be searched inside the content of the given object.
-
-
-
-
-
-
-- **IsSameObject**
-
- The IsSameObject function returns TRUE if the given encoded locations resolve to the same physical object. Otherwise, it returns FALSE.
-
- Syntax: IsSameObject("*ObjectType*","*EncodedLocation1*","*EncodedLocation2*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
ObjectType
-
Yes
-
Defines the type of object. Can be File or Registry.
-
-
-
EncodedLocation1
-
Yes
-
The encoded location for the first object. You can specify environment variables.
-
-
-
EncodedLocation2
-
Yes
-
The encoded location for the second object. You can specify environment variables.
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
- MigXmlHelper.IsSameObject("File","%CSIDL_FAVORITES%","%CSIDL_COMMON_FAVORITES%")
- %CSIDL_FAVORITES%\* [*]
-
-```
-~~~
-
-- **IsSameContent**
-
- The IsSameContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be compared byte by byte.
-
- Syntax: IsSameContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
ObjectType1
-
Yes
-
Defines the type of the first object. Can be File or Registry.
-
-
-
EncodedLocation1
-
Yes
-
The encoded location for the first object. You can specify environment variables.
-
-
-
ObjectType2
-
Yes
-
Defines the type of the second object. Can be File or Registry.
-
-
-
EncodedLocation2
-
Yes
-
The encoded location for the second object. You can specify environment variables.
-
-
-
-
-
-
-- **IsSameStringContent**
-
- The IsSameStringContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be interpreted as a string.
-
- Syntax: IsSameStringContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
ObjectType1
-
Yes
-
Defines the type of the first object. Can be File or Registry.
-
-
-
EncodedLocation1
-
Yes
-
The encoded location for the first object. You can specify environment variables.
-
-
-
ObjectType2
-
Yes
-
Defines the type of the second object. Can be File or Registry.
-
-
-
EncodedLocation2
-
Yes
-
The encoded location for the second object. You can specify environment variables.
-
-
-
-
-
-
-## <conditions>
-
-
-The <conditions> element returns a Boolean result that is used to specify the conditions in which the parent element is evaluated. USMT evaluates the child elements, and then joins their results using the operators AND or OR according to the **operation** parameter.
-
-- **Number of occurrences:** Unlimited inside another <conditions> element. Limited to one occurrence in [<detection>](#detection), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset)
-
-- **Parent elements:**[<conditions>](#conditions), [<detection>](#detection), [<environment>](#bkmk-environment), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset)
-
-- **Child elements:**[<conditions>](#conditions), [<condition>](#condition)
-
-Syntax:
-
-<conditions operation="AND|OR">
-
-</conditions>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
operation
-
No, default = AND
-
Defines the Boolean operation that is performed on the results that are obtained from the child elements.
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
- MigXmlHelper.IsNative64Bit()
-
-
- HKLM\Software
-
-
-```
-
-## <content>
-
-
-You can use the <content> element to specify a list of object patterns to obtain an object set from the source computer. Each <objectSet> within a <content> element is evaluated. For each resulting object pattern list, the objects that match it are enumerated and their content is filtered by the filter parameter. The resulting string array is the output for the <content> element. The filter script returns an array of locations. The parent <objectSet> element can contain multiple child <content> elements.
-
-- **Number of occurrences:** unlimited
-
-- **Parent elements:**[<objectSet>](#objectset)
-
-- **Child elements:**[<objectSet>](#objectset)
-
-- **Helper functions:** You can use the following [<content> functions](#contentfunctions) with this element: ExtractSingleFile, ExtractMultipleFiles, and ExtractDirectory.
-
-Syntax:
-
-<content filter="*ScriptInvocation*">
-
-</content>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
filter
-
Yes
-
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
-
The script is called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
-
-
-
-
-
-
-### <content> functions
-
-The following functions generate patterns out of the content of an object. These functions are called for every object that the parent <ObjectSet> element is enumerating.
-
-- **ExtractSingleFile**
-
- If the registry value is a MULTI-SZ, only the first segment is processed. The returned pattern is the encoded location for a file that must exist on the system. If the specification is correct in the registry value, but the file does not exist, this function returns NULL.
-
- Syntax: ExtractSingleFile(*Separators*,*PathHints*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
Separators
-
Yes
-
A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You can specify NULL.
-
-
-
PathHints
-
Yes
-
A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL.
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-```
-
-and
-
-``` syntax
-
-```
-~~~
-
-- **ExtractMultipleFiles**
-
- The ExtractMultipleFiles function returns multiple patterns, one for each file that is found in the content of the given registry value. If the registry value is a MULTI-SZ, the MULTI-SZ separator is considered a separator by default. therefore, for MULTI-SZ, the <Separators> argument must be NULL.
-
- The returned patterns are the encoded locations for files that must exist on the source computer. If the specification is correct in the registry value but the file does not exist, it will not be included in the resulting list.
-
- Syntax: ExtractMultipleFiles(*Separators*,*PathHints*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
Separators
-
Yes
-
A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. This parameter must be NULL when processing MULTI-SZ registry values.
-
-
-
PathHints
-
Yes
-
A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL.
-
-
-
-
-
-
-- **ExtractDirectory**
-
- The ExtractDirectory function returns a pattern that is the encoded location for a directory that must exist on the source computer. If the specification is correct in the registry value, but the directory does not exist, this function returns NULL. If it is processing a registry value that is a MULTI-SZ, only the first segment will be processed.
-
- Syntax: ExtractDirectory(*Separators*,*LevelsToTrim*,*PatternSuffix*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
Separators
-
No
-
A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You must specify NULL when processing MULTI-SZ registry values.
-
-
-
LevelsToTrim
-
Yes
-
The number of levels to delete from the end of the directory specification. Use this function to extract a root directory when you have a registry value that points inside that root directory in a known location.
-
-
-
PatternSuffix
-
Yes
-
The pattern to add to the directory specification. For example, * [*].
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
-
- %HklmWowSoftware%\Classes\Software\RealNetworks\Preferences\DT_Common []
-
-
-
-```
-~~~
-
-## <contentModify>
-
-
-The <contentModify> element modifies the content of an object before it is written to the destination computer. For each <contentModify> element there can be multiple <objectSet> elements. This element returns the new content of the object that is being processed.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Required child elements:**[<objectSet>](#objectset)
-
-- **Helper functions**: You can use the following [<contentModify> functions](#contentmodifyfunctions) with this element: ConvertToDWORD, ConvertToString, ConvertToBinary, KeepExisting, OffsetValue, SetValueByTable, MergeMultiSzContent, and MergeDelimitedContent.
-
-Syntax:
-
-<contentModify script="*ScriptInvocation*">
-
-</contentModify>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
script
-
Yes
-
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
-
The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
-
-
-
-
-
-
-### <contentModify> functions
-
-The following functions change the content of objects as they are migrated. These functions are called for every object that the parent <ObjectSet> element is enumerating.
-
-- **ConvertToDWORD**
-
- The ConvertToDWORD function converts the content of registry values that are enumerated by the parent <ObjectSet> element to a DWORD. For example, ConvertToDWORD will convert the string "1" to the DWORD 0x00000001. If the conversion fails, then the value of DefaultValueOnError will be applied.
-
- Syntax: ConvertToDWORD(*DefaultValueOnError*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
DefaultValueOnError
-
No
-
The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails.
-
-
-
-
-
-
-- **ConvertToString**
-
- The ConvertToString function converts the content of registry values that match the parent <ObjectSet> element to a string. For example, it will convert the DWORD 0x00000001 to the string "1". If the conversion fails, then the value of DefaultValueOnError will be applied.
-
- Syntax: ConvertToString(*DefaultValueOnError*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
DefaultValueOnError
-
No
-
The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails.
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
- HKCU\Control Panel\Desktop [ScreenSaveUsePassword]
-
-
-```
-~~~
-
-- **ConvertToBinary**
-
- The ConvertToBinary function converts the content of registry values that match the parent <ObjectSet> element to a binary type.
-
- Syntax: ConvertToBinary ()
-
-- **OffsetValue**
-
- The OffsetValue function adds or subtracts *Value* from the value of the migrated object, and then writes the result back into the registry value on the destination computer. For example, if the migrated object is a DWORD with a value of 14, and the *Value* is "-2", the registry value will be 12 on the destination computer.
-
- Syntax: OffsetValue(*Value*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
Value
-
Yes
-
The string representation of a numeric value. It can be positive or negative. For example, OffsetValue(2).
-
-
-
-
-
-
-- **SetValueByTable**
-
- The SetValueByTable function matches the value from the source computer to the source table. If the value is there, the equivalent value in the destination table will be applied. If the value is not there, or if the destination table has no equivalent value, the *DefaultValueOnError* will be applied.
-
- Syntax: SetValueByTable(*SourceTable*,*DestinationTable*,*DefaultValueOnError*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
SourceTable
-
Yes
-
A list of values separated by commas that are possible for the source registry values.
-
-
-
DestinationTable
-
No
-
A list of translated values separated by commas.
-
-
-
DefaultValueOnError
-
No
-
The value that will be applied to the destination computer if either 1) the value for the source computer does not match SourceTable, or 2) DestinationTable has no equivalent value.
-
If DefaultValueOnError is NULL, the value will not be changed on the destination computer.
-
-
-
-
-
-
-- **KeepExisting**
-
- You can use the KeepExisting function when there are conflicts on the destination computer. This function will keep (not overwrite) the specified attributes for the object that is on the destination computer.
-
- Syntax: KeepExisting("*OptionString*","*OptionString*","*OptionString*",…)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
OptionString
-
Yes
-
OptionString can be Security, TimeFields, or FileAttrib:Letter. You can specify one of each type of OptionStrings. Do not specify multiple OptionStrings with the same value. If you do, the right-most option of that type will be kept. For example, do not specify ("FileAttrib:H", "FileAttrib:R") because only Read-only will be evaluated. Instead specify ("FileAttrib:HR") and both Hidden and Read-only attributes will be kept on the destination computer.
-
-
Security. Keeps the destination object's security descriptor if it exists.
-
TimeFields. Keeps the destination object's time stamps. This parameter is for files only.
-
FileAttrib:Letter. Keeps the destination object's attribute value, either On or OFF, for the specified set of file attributes. This parameter is for files only. The following are case-insensitive, but USMT will ignore any values that are invalid, repeated, or if there is a space after "FileAttrib:". You can specify any combination of the following attributes:
-
-
A = Archive
-
C = Compressed
-
E = Encrypted
-
H = Hidden
-
I = Not Content Indexed
-
O = Offline
-
R = Read-Only
-
S = System
-
T = Temporary
-
-
-
-
-
-
-
-
-- **MergeMultiSzContent**
-
- The MergeMultiSzContent function merges the MULTI-SZ content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. `Instruction` and `String` either remove or add content to the resulting MULTI-SZ. Duplicate elements will be removed.
-
- Syntax: MergeMultiSzContent (*Instruction*,*String*,*Instruction*,*String*,…)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
Instruction
-
Yes
-
Can be one of the following:
-
-
Add. Adds the corresponding String to the resulting MULTI-SZ if it is not already there.
-
Remove. Removes the corresponding String from the resulting MULTI-SZ.
-
-
-
-
String
-
Yes
-
The string to be added or removed.
-
-
-
-
-
-
-- **MergeDelimitedContent**
-
- The MergeDelimitedContent function merges the content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. The content is considered a list of elements separated by one of the characters in the Delimiters parameter. Duplicate elements will be removed.
-
- Syntax: MergeDelimitedContent(*Delimiters*,*Instruction*,*String*,…)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
Delimiters
-
Yes
-
A single character that will be used to separate the content of the object that is being processed. The content will be considered as a list of elements that is separated by the Delimiters.
-
For example, "." will separate the string based on a period.
-
-
-
Instruction
-
Yes
-
Can one of the following:
-
-
Add. Adds String to the resulting MULTI-SZ if it is not already there.
-
Remove. Removes String from the resulting MULTI-SZ.
-
-
-
-
String
-
Yes
-
The string to be added or removed.
-
-
-
-
-
-
-## <description>
-
-
-The <description> element defines a description for the component but does not affect the migration.
-
-- **Number of occurrences:** zero or one
-
-- **Parent elements:**[<component>](#component)
-
-- **Child elements:** none
-
-Syntax:
-
-<description>*ComponentDescription*</description>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
ComponentDescription
-
Yes
-
The description of the component.
-
-
-
-
-
-
-The following code sample shows how the <description> element defines the "My custom component" description.:
-
-``` syntax
-My custom component
-```
-
-## <destinationCleanup>
-
-
-The <destinationCleanup> element deletes objects, such as files and registry keys, from the destination computer before applying the objects from the source computer. This element is evaluated only when the LoadState tool is run on the destination computer. That is, this element is ignored by the ScanState tool.
-
-**Important**
-Use this option with extreme caution because it will delete objects from the destination computer.
-
-
-
-For each <destinationCleanup> element there can be multiple <objectSet> elements. A common use for this element is if there is a missing registry key on the source computer and you want to ensure that a component is migrated. In this case, you can delete all of the component's registry keys before migrating the source registry keys. This will ensure that if there is a missing key on the source computer, it will also be missing on the destination computer.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Child elements:**[<objectSet>](#objectset) (Note that the destination computer will delete all child elements.)
-
-Syntax:
-
-<destinationCleanup filter=*ScriptInvocation*>
-
-</destinationCleanup>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
filter
-
Yes
-
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
-
The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
-
-
-
-
-
-
-For example:
-
-``` syntax
-
-
- HKCU\Software\Lotus\123\99.0\DDE Preferences\* [*]
- HKCU\Software\Lotus\123\99.0\Find Preferences\* [*]
-
-
-```
-
-## <detect>
-
-
-Although the <detect> element is still supported, we do not recommend using it because it may be deprecated in future versions of USMT. In that case, you would have to rewrite your scripts. Instead, we recommend that you use the [<detection>](#detection)**element.**
-
-You use the <detect> element to determine if the component is present on a system. If all child <detect> elements within a <detect> element resolve to TRUE, then the <detect> element resolves to TRUE. If any child <detect> elements resolve to FALSE, then their parent <detect> element resolves to FALSE. If there is no <detect> element section, then USMT will assume that the component is present.
-
-For each <detect> element there can be multiple child <condition> or <objectSet> elements, which will be logically joined by an OR operator. If at least one <condition> or <objectSet> element evaluates to TRUE, then the <detect> element evaluates to TRUE.
-
-- **Number of occurrences:** unlimited
-
-- **Parent elements:** <detects>, [<namedElements>](#namedelements)
-
-- **Required child elements:**[<condition>](#condition)
-
-- **Optional child elements:**[<objectSet>](#objectset)
-
-Syntax:
-
-<detect name="*ID*" context="User|System|UserAndSystem">
-
-</detect>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
name
-
Yes, when <detect> is a child to <namedElements>
-
No, when <detect> is a child to <detects>
-
When ID is specified, any child elements are not processed. Instead, any other <detect> elements with the same name that are declared within the <namedElements> element are processed.
-
-
-
context
-
No
-
(default = UserAndSystem)
-
Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
-
The largest possible scope is set by the component element. For example, if a <component> element has a context of User, and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though the <rules> element were not there.
-
-
User. Evaluates the variables for each user.
-
System. Evaluates the variables only once for the system.
-
UserAndSystem. Evaluates the variables for the entire operating system and each user.
-
-
-
-
-
-
-
-For examples, see the examples for [<detection>](#detection).
-
-## <detects>
-
-
-Although the <detects> element is still supported, we recommend that you do not use it because it may be deprecated in future versions of USMT, which would require you to rewrite your scripts. Instead, we recommend that you use the [<detection>](#detection) element if the parent element is <role> or <namedElements>, and we recommend that you use the <conditions> element if the parent element is <rules>. Using <detection> allows you to more clearly formulate complex Boolean statements.
-
-The <detects> element is a container for one or more <detect> elements. If all of the child <detect> elements within a <detects> element resolve to TRUE, then <detects> resolves to TRUE. If any of the child <detect> elements resolve to FALSE, then <detects> resolves to FALSE. If you do not want to write the <detects> elements within a component, then you can create the <detects> element under the <namedElements> element, and then refer to it. If there is no <detects> element section, then USMT will assume that the component is present. The results from each <detects> element are joined together by the OR operator to form the rule used to detect the parent element.
-
-Syntax:
-
-<detects name="*ID*" context="User|System|UserAndSystem">
-
-</detects>
-
-- **Number of occurrences:** Unlimited.
-
-- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements)
-
-- **Required child elements:** <detect>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
name
-
Yes, when <detects> is a child to <namedElements>
-
No, when <detects> is a child to <role> or <rules>
-
When ID is specified, no child <detect> elements are processed. Instead, any other <detects> elements with the same name that are declared within the <namedElements> element are processed.
-
-
-
context
-
No
-
(default = UserAndSystem)
-
Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
-
The largest possible scope is set by the <component element>. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though the <rules> element were not there.
-
-
User. Evaluates the variables for each user.
-
System. Evaluates the variables only once for the system.
-
UserAndSystem. Evaluates the variables for the entire operating system and each user.
-
-
The context parameter is ignored for <detects> elements that are inside <rules> elements.
-
-
-
-
-
-
-The following example is from the MigApp.xml file.
-
-``` syntax
-
-
- MigXmlHelper.DoesFileVersionMatch("%Lotus123InstPath%\123w.exe","ProductVersion","9.*")
-
-
- MigXmlHelper.DoesFileVersionMatch("%SmartSuiteInstPath%\smartctr.exe","ProductVersion","99.*")
-
-
-```
-
-## <detection>
-
-
-The <detection> element is a container for one <conditions> element. The result of the child <condition> elements, located underneath the <conditions> element, determines the result of this element. For example, if all of the child <conditions> elements within the <detection> element resolve to TRUE, then the <detection> element resolves to TRUE. If any of the child <conditions> elements resolve to FALSE, then the <detection> element resolves to FALSE.
-
-In addition, the results from each <detection> section within the <role> element are joined together by the OR operator to form the detection rule of the parent element. That is, if one of the <detection> sections resolves to TRUE, then the <role> element will be processed. Otherwise, the <role> element will not be processed.
-
-Use the <detection> element under the <namedElements> element if you do not want to write it within a component. Then include a matching <detection> section under the <role> element to control whether the component is migrated. If there is not a <detection> section for a component, then USMT will assume that the component is present.
-
-- **Number of occurrences:** Unlimited.
-
-- **Parent elements:**[<role>](#role), [<namedElements>](#namedelements)
-
-- **Child elements:**[<conditions>](#conditions)
-
-Syntax:
-
-<detection name="*ID*" context="User|System|UserAndSystem">
-
-</detection>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
name
-
-
Yes, when <detection> is declared under <namedElements>
-
Optional, when declared under <role>
-
-
If declared, the content of the <detection> element is ignored and the content of the <detection> element with the same name that is declared in the <namedElements> element will be evaluated.
-
-
-
context
-
No, default = UserAndSystem
-
Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
-
-
User. Evaluates the component for each user.
-
System. Evaluates the component only once for the system.
-
UserAndSystem. Evaluates the component for the entire operating system and each user.
-
-
-
-
-
-
-
-For example:
-
-``` syntax
-
-
- MigXmlHelper.DoesObjectExist("Registry","HKCU\Software\Adobe\Photoshop\8.0")
- MigXmlHelper.DoesFileVersionMatch("%PhotoshopSuite8Path%\Photoshop.exe","FileVersion","8.*")
-
-
-```
-
-and
-
-``` syntax
-
-
-
- MigXmlHelper.DoesFileVersionMatch("%QuickTime5Exe%","ProductVersion","QuickTime 5.*")
- MigXmlHelper.DoesFileVersionMatch("%QuickTime5Exe%","ProductVersion","QuickTime 6.*")
-
-
-```
-
-## <displayName>
-
-
-The <displayName> element is a required field within each <component> element.
-
-- **Number of occurrences:** once for each component
-
-- **Parent elements:**[<component>](#component)
-
-- **Child elements:** none
-
-Syntax:
-
-<displayName \_locID="*ID*">*ComponentName*</displayName>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
locID
-
No
-
This parameter is for internal USMT use. Do not use this parameter.
-
-
-
ComponentName
-
Yes
-
The name for the component.
-
-
-
-
-
-
-For example:
-
-``` syntax
-Command Prompt settings
-```
-
-## <environment>
-
-
-The <environment> element is a container for <variable> elements in which you can define variables to use in your .xml file. All environment variables defined this way will be private. That is, they will be available only for their child components and the component in which they were defined. For two example scenarios, see [Examples](#envex).
-
-- **Number of occurrences:** unlimited
-
-- **Parent elements:**[<role>](#role), [<component>](#component), [<namedElements>](#namedelements)
-
-- **Required child elements:**[<variable>](#variable)
-
-- **Optional child elements:**[conditions](#conditions)
-
-Syntax:
-
-<environment name="ID" context="User|System|UserAndSystem">
-
-</environment>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
name
-
Yes, when <environment> is a child of <namedElements>
-
No, when <environment> is a child of <role> or <component>
-
When declared as a child of the <role> or <component> elements, if ID is declared, USMT ignores the content of the <environment> element and the content of the <environment> element with the same name declared in the <namedElements> element is processed.
-
-
-
context
-
No
-
(default = UserAndSystem)
-
Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
-
The largest possible scope is set by the <component> element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though <rules> were not there.
-
-
User. Evaluates the variables for each user.
-
System. Evaluates the variables only once for the system.
-
UserAndSystem. Evaluates the variables for the entire operating system and each user.
-
-
-
-
-
-
-
-##
-
-
-### Example scenario 1
-
-In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example:
-
-``` syntax
-
-
-
-
-
-```
-
-Then you can use an include rule as follows. You can use any of the [<script> functions](#scriptfunctions) to perform similar tasks.
-
-``` syntax
-
-
- %INSTALLPATH%\ [*.xyz]
-
-
-```
-
-Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator ",") in the value of the registry Hklm\\software\\companyname\\application\\ \[Path\].
-
-``` syntax
-
-
-
-
-
- Hklm\software\companyname\application\ [Path]
-
-
-
-
-
-```
-
-### Example scenario 2:
-
-In this scenario, you want to migrate five files named File1.txt, File2.txt, and so on, from %SYSTEMDRIVE%\\data\\userdata\\dir1\\dir2\\. To do this you must have the following <include> rule in an .xml file:
-
-``` syntax
-
-
- %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File1.txt]
- %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File2.txt]
- %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File3.txt]
- %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File4.txt]
- %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File5.txt]
-
-
-```
-
-Instead of typing the path five times, you can create a variable for the location as follows:
-
-``` syntax
-
-
- %SYSTEMDRIVE%\data\userdata\dir1\dir2
-
-
-```
-
-Then, you can specify the variable in an <include> rule as follows:
-
-``` syntax
-
-
- %DATAPATH% [File1.txt]
- %DATAPATH% [File2.txt]
- %DATAPATH% [File3.txt]
- %DATAPATH% [File4.txt]
- %DATAPATH% [File5.txt]
-
-
-```
-
-## <exclude>
-
-
-The <exclude> element determines what objects will not be migrated, unless there is a more specific <include> element that migrates an object. If there is an <include> and <exclude> element for the same object, the object will be included. For each <exclude> element there can be multiple child <objectSet> elements.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Child elements:**[<objectSet>](#objectset)
-
-- **Helper functions:** You can use the following [<exclude> filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, NeverRestore, and SameRegContent.
-
-Syntax:
-
-<exclude filter="*ScriptInvocation*">
-
-</exclude>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
filter
-
No
-
(default = No)
-
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
-
The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
-
-
-
-
-
-
-For example, from the MigUser.xml file:
-
-``` syntax
-
-
- %CSIDL_MYMUSIC%\* [*]
- %CSIDL_MYPICTURES%\* [*]
- %CSIDL_MYVIDEO%\* [*]
-
-
-```
-
-## <excludeAttributes>
-
-
-You can use the <excludeAttributes> element to determine which parameters associated with an object will not be migrated. If there are conflicts between the <includeAttributes> and <excludeAttributes> elements, the most specific pattern determines the patterns that will not be migrated. If an object does not have an <includeAttributes> or <excludeAttributes> element, then all of its parameters will be migrated.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Child elements:**[<objectSet>](#objectset)
-
-Syntax:
-
-<excludeAttributes attributes="Security|TimeFields|Security,TimeFields">
-
-</excludeAttributes>
-
-
-
-
-
-
-
-
-
-
Parameter
-
Required?
-
Value
-
-
-
-
-
attributes
-
Yes
-
Specifies the attributes to be excluded. You can specify one of the following, or both separated by quotes; for example, "Security","TimeFields":
-
-
Security can be one of Owner, Group, DACL, or SACL.
-
TimeFields can be one of CreationTime, LastAccessTime and LastWrittenTime
-
-
-
-
-
-
-
-Example:
-
-``` syntax
-
-
-
- System Data
-
-
-
-
-
- %SYSTEMDRIVE%\ [*.txt]
-
-
-
-
-
- %SYSTEMDRIVE%\ [a*.txt]
-
-
-
-
-
- %SYSTEMDRIVE%\ [aa.txt]
-
-
-
-
-
- logoff
-
-
-
-
-
-
- DOC
- PPT
- VXD
- PST
- CPP
-
-
-
-```
-
-## <extensions>
-
-
-The <extensions> element is a container for one or more <extension> elements.
-
-- **Number of occurrences:** zero or one
-
-- **Parent elements:**[<component>](#component)
-
-- **Required child elements:**[<extension>](#extension)
-
-Syntax:
-
-<extensions>
-
-</extensions>
-
-## <extension>
-
-
-You can use the <extension> element to specify documents of a specific extension.
-
-- **Number of occurrences:** unlimited
-
-- **Parent elements:**[<extensions>](#extensions)
-
-- **Child elements:** none
-
-Syntax:
-
-<extension>*FilenameExtension*</extension>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
FilenameExtension
-
Yes
-
A file name extension.
-
-
-
-
-
-
-For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the <component> element:
-
-``` syntax
-
- doc
-
-```
-
-is the same as specifying the following code below the <rules> element:
-
-``` syntax
-
-
-
-
-
-```
-
-For another example of how to use the <extension> element, see the example for [<excludeAttributes>](#excludeattributes).
-
-## <externalProcess>
-
-
-You can use the <externalProcess> element to run a command line during the migration process. For example, you may want to run a command after the LoadState process completes.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Required child elements:**[<commandLine>](#commandline)
-
-Syntax:
-
-<externalProcess when="pre-scan|scan-success|post-scan|pre-apply|apply-success|post-apply">
-
-</externalProcess>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
when
-
Yes
-
Indicates when the command line should be run. This value can be one of the following:
-
-
pre-scan before the scanning process begins.
-
scan-success after the scanning process has finished successfully.
-
post-scan after the scanning process has finished, whether it was successful or not.
-
pre-apply before the apply process begins.
-
apply-success after the apply process has finished successfully.
-
post-apply after the apply process has finished, whether it was successful or not.
-
-
-
-
-
-
-
-For an example of how to use the <externalProcess> element, see the example for [<excludeAttributes>](#excludeattributes).
-
-## <icon>
-
-
-This is an internal USMT element. Do not use this element.
-
-## <include>
-
-
-The <include> element determines what to migrate, unless there is a more specific [<exclude>](#exclude) rule. You can specify a script to be more specific to extend the definition of what you want to collect. For each <include> element there can be multiple <objectSet> elements.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Required child element:**[<objectSet>](#objectset)
-
-- **Helper functions:** You can use the following [<include> filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, and NeverRestore.
-
-Syntax:
-
-<include filter="*ScriptInvocation*">
-
-</include>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
filter
-
No.
-
If this parameter is not specified, then all patterns that are inside the child <ObjectSet> element will be processed.
-
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
-
The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
-
-
-
-
-
-
-The following example is from the MigUser.xml file:
-
-``` syntax
-
- My Video
-
- %CSIDL_MYVIDEO%
-
-
-
-
- MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")
-
-
-
-
-
- %CSIDL_MYVIDEO%\* [*]
-
-
-
-
- %CSIDL_MYVIDEO% [desktop.ini]
-
-
-
-
-
-```
-
-### <include> and <exclude> filter functions
-
-The following functions return a Boolean value. You can use them to migrate certain objects based on when certain conditions are met.
-
-- **AnswerNo**
-
- This filter always returns FALSE.
-
- Syntax: AnswerNo ()
-
-- **CompareStringContent**
-
- Syntax: CompareStringContent("*StringContent*","*CompareType*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
StringContent
-
Yes
-
The string to check against.
-
-
-
CompareType
-
Yes
-
A string. Use one of the following values:
-
-
Equal (case insensitive). The function returns TRUE if the string representation of the current object that is processed by the migration engine is identical to StringContent.
-
NULLor any other value. The function returns TRUE if the string representation of the current object that is processed by the migration engine does not match StringContent.
-
-
-
-
-
-
-
-- **IgnoreIrrelevantLinks**
-
- This filter screens out the .lnk files that point to an object that is not valid on the destination computer. Note that the screening takes place on the destination computer, so all .lnk files will be saved to the store during ScanState. Then they will be screened out when you run the LoadState tool.
-
- Syntax: IgnoreIrrelevantLinks ()
-
- For example:
-
- ``` syntax
-
-
- %CSIDL_COMMON_VIDEO%\* [*]
-
-
- ```
-
-- **NeverRestore**
-
- You can use this function to collect the specified objects from the source computer but then not migrate the objects to the destination computer. When run with the ScanState tool, this function evaluates to TRUE. When run with the LoadState tool, this function evaluates to FALSE. You may want to use this function when you want to check an object's value on the destination computer but do not intend to migrate the object to the destination.
-
- Syntax: NeverRestore()
-
- In the following example, HKCU\\Control Panel\\International \[Locale\] will be included in the store, but it will not be migrated to the destination computer:
-
- ``` syntax
-
-
- HKCU\Control Panel\International [Locale]
-
-
- ```
-
-## <includeAttributes>
-
-
-You can use the <includeAttributes> element to determine whether certain parameters associated with an object will be migrated along with the object itself. If there are conflicts between the <includeAttributes> and <excludeAttributes> elements, the most specific pattern will determine which parameters will be migrated. If an object does not have an <includeAttributes> or <excludeAttributes> element, then all of its parameters will be migrated.
-
-- **Number of occurrences:** unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Child elements:**[<objectSet>](#objectset)
-
-Syntax:
-
-<includeAttributes attributes="Security|TimeFields|Security,TimeFields">
-
-</includeAttributes>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
attributes
-
Yes
-
Specifies the attributes to be included with a migrated object. You can specify one of the following, or both separated by quotes; for example, "Security","TimeFields":
-
-
Security can be one of the following values:
-
-
Owner. The owner of the object (SID).
-
Group. The primary group for the object (SID).
-
DACL (discretionary access control list). An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.
-
SACL (system access control list). An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.
-
-
TimeFields can be one of the following:
-
-
CreationTime. Specifies when the file or directory was created.
-
LastAccessTime. Specifies when the file is last read from, written to, or, in the case of executable files, run.
-
LastWrittenTime. Specifies when the file is last written to, truncated, or overwritten.
-
-
-
-
-
-
-
-
-For an example of how to use the <includeAttributes> element, see the example for [<excludeAttributes>](#excludeattributes).
-
-## <library>
-
-
-This is an internal USMT element. Do not use this element.
-
-## <location>
-
-
-The <location> element defines the location of the <object> element.
-
-- **Number of occurrences:** once for each <object>
-
-- **Parent elements:**[<object>](#object)
-
-- **Child elements:**[<script>](#script)
-
-Syntax:
-
-<location type="*typeID*">*ObjectLocation*</location>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
type
-
Yes
-
typeID can be Registry or File.
-
-
-
ObjectLocation
-
Yes
-
The location of the object.
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
-
-
-```
-
-## <locationModify>
-
-
-You can use the <locationModify> element to change the location and name of an object before it is migrated to the destination computer. The <locationModify> element is processed only when the LoadState tool is run on the destination computer. In other words, this element is ignored by the ScanState tool. The <locationModify> element will create the appropriate folder on the destination computer if it does not already exist.
-
-**Number of occurrences:** Unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Required child element:**[<objectSet>](#objectset)
-
-- **Helper functions:** You can use the following [<locationModify> functions](#locationmodifyfunctions) with this element: ExactMove, RelativeMove, and Move.
-
-Syntax:
-
-<locationModify script="*ScriptInvocation*">
-
-</locationModify>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
script
-
Yes
-
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
-
The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
- %CSIDL_APPDATA%\Microsoft\Office\ [Access10.pip]
-
-
-```
-
-### <locationModify> functions
-
-The following functions change the location of objects as they are migrated when using the <locationModify> element. These functions are called for every object that the parent <ObjectSet> element is enumerating. The <locationModify> element will create the appropriate folder on the destination computer if it does not already exist.
-
-- **ExactMove**
-
- The ExactMove function moves all of the objects that are matched by the parent <ObjectSet> element into the given *ObjectEncodedLocation*. You can use this function when you want to move a single file to a different location on the destination computer. If the destination location is a node, all of the matching source objects will be written to the node without any subdirectories. If the destination location is a leaf, the migration engine will migrate all of the matching source objects to the same location. If a collision occurs, the normal collision algorithms will apply.
-
- Syntax: ExactMove(*ObjectEncodedLocation*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
ObjectEncodedLocation
-
Yes
-
The destination location for all of the source objects.
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
- HKCU\Keyboard Layout\Toggle []
-
-
-```
-~~~
-
-- **Move**
-
- The Move function moves objects to a different location on the destination computer. In addition, this function creates subdirectories that were above the longest CSIDL in the source object name.
-
- Syntax: Move(*DestinationRoot*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
DestinationRoot
-
Yes
-
The location where the source objects will be moved. If needed, this function will create any subdirectories that were above the longest CSIDL in the source object name.
-
-
-
-
-
-
-- **RelativeMove**
-
- You can use the RelativeMove function to collect and move data. Note that you can use environment variables in source and destination roots, but they may be defined differently on the source and destination computers.
-
- Syntax: RelativeMove(*SourceRoot*,*DestinationRoot*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
SourceRoot
-
Yes
-
The location from where the objects will be moved. Any source objects that are enumerated by the parent <ObjectSet> element that are not in this location will not be moved.
-
-
-
DestinationRoot
-
Yes
-
The location where the source objects will be moved to on the destination computer. If needed, this function will create any subdirectories that were above SourceRoot.
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
- %CSIDL_COMMON_FAVORITES%\* [*]
-
-
-
-
- %CSIDL_COMMON_FAVORITES%\* [*]
-
-
-```
-~~~
-
-## <\_locDefinition>
-
-
-This is an internal USMT element. Do not use this element.
-
-## <manufacturer>
-
-
-The <manufacturer> element defines the manufacturer for the component, but does not affect the migration.
-
-- **Number of occurrences:** zero or one
-
-- **Parent elements:**[<component>](#component)
-
-- **Child elements:** none
-
-Syntax:
-
-<manufacturer>*Name*</manufacturer>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
Name
-
Yes
-
The name of the manufacturer for the component.
-
-
-
-
-
-
-## <merge>
-
-
-The <merge> element determines what will happen when a collision occurs. A collision is when an object that is migrated is already present on the destination computer. If you do not specify this element, the default behavior for the registry is for the source object to overwrite the destination object. The default behavior for files is for the source file to be renamed to "OriginalFileName(1).OriginalExtension". This element specifies only what should be done when a collision occurs. It does not include objects. Therefore, for your objects to migrate, you must specify <include> rules along with the <merge> element. When an object is processed and a collision is detected, USMT will select the most specific merge rule and apply it to resolve the conflict. For example, if you have a <merge> rule C:\\\* \[\*\] set to <sourcePriority> and a <merge> rule C:\\subfolder\\\* \[\*\] set to <destinationPriority>, then USMT would use the <destinationPriority> rule because it is the more specific.
-
-For an example of this element, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Required child element:**[<objectSet>](#objectset)
-
-- **Helper functions:** You can use the following [<merge> functions](#mergefunctions) with this element: SourcePriority, DestinationPriority, FindFilePlaceByPattern, LeafPattern, NewestVersion, HigherValue(), and LowerValue().
-
-Syntax:
-
-<merge script="*ScriptInvocation*">
-
-</merge>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
script
-
Yes
-
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
-
The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
-
-
-
-
-
-
-The following example is from the MigUser.xml file:
-
-``` syntax
-
-
-
- %CSIDL_MYVIDEO%\* [*]
-
-
-
-
- %CSIDL_MYVIDEO% [desktop.ini]
-
-
-
-```
-
-### <merge> functions
-
-These functions control how collisions are resolved.
-
-- **DestinationPriority**
-
- Specifies to keep the object that is on the destination computer and not migrate the object from the source computer.
-
- For example:
-
- ``` syntax
-
-
- HKCU\Software\Microsoft\Office\9.0\PhotoDraw\ [MyPictures]
- HKCU\Software\Microsoft\Office\9.0\PhotoDraw\Settings\ [PicturesPath]
- HKCU\Software\Microsoft\Office\9.0\PhotoDraw\Settings\ [AdditionalPlugInPath]
-
-
- ```
-
-- **FindFilePlaceByPattern**
-
- The FindFilePlaceByPattern function saves files with an incrementing counter when a collision occurs. It is a string that contains one of each constructs: <F>, <E>, <N> in any order.
-
- Syntax: FindFilePlaceByPattern(*FilePattern*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
FilePattern
-
Yes
-
-
<F> will be replaced by the original file name.
-
<N> will be replaced by an incrementing counter until there is no collision with the objects on the destination computer.
-
<E> will be replaced by the original file name extension.
-
-
For example, <F> (<N>).<E> will change the source file MyDocument.doc into MyDocument (1).doc on the destination computer.
-
-
-
-
-
-
-- **NewestVersion**
-
- The NewestVersion function will resolve conflicts on the destination computer based on the version of the file.
-
- Syntax: NewestVersion(*VersionTag*)
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
VersionTag
-
Yes
-
The version field that will be checked. This can be "FileVersion" or "ProductVersion". The file with the highest VersionTag version determines which conflicts will be resolved based on the file's version. For example, if Myfile.txt contains FileVersion 1 and the same file on the destination computer contains FileVersion 2, the file on destination will remain.
-
-
-
-
-
-
-- **HigherValue()**
-
- You can use this function for merging registry values. The registry values will be evaluated as numeric values, and the one with the higher value will determine which registry values will be merged.
-
-- **LowerValue()**
-
- You can use this function for merging registry values. The registry values will be evaluated as numeric values and the one with the lower value will determine which registry values will be merged.
-
-- **SourcePriority**
-
- Specifies to migrate the object from the source computer, and to delete the object that is on the destination computer.
-
- For example:
-
- ``` syntax
-
-
- %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Publisher [UpgradeVersion]
- %HklmWowSoftware%\Microsoft\Office\11.0\Common\Migration\Publisher [UpgradeVersion]
- %HklmWowSoftware%\Microsoft\Office\10.0\Common\Migration\Publisher [UpgradeVersion]
-
-
- ```
-
-## <migration>
-
-
-The <migration> element is the single root element of a migration .xml file and is required. Each .xml file must have a unique migration urlid. The urlid of each file that you specify on the command line must be unique. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following at the beginning of each file: <CustomFileName> is the name of the file; for example, "CustomApp".
-
-- **Number of occurrences:** one
-
-- **Parent elements:** none
-
-- **Required child elements:**[<component>](#component)
-
-- **Optional child elements:**[<library>](#library), [<namedElements>](#namedelements)
-
-Syntax:
-
-<migration urlid="UrlID/Name">
-
-</migration>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
urlid
-
Yes
-
UrlID is a string identifier that uniquely identifies this .xml file. This parameter must be a no-colon-name as defined by the XML Namespaces specification. Each migration .xml file must have a unique urlid. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. For more information about XML Namespaces, see Use XML Namespaces.
-
-
-
Name
-
No
-
Although not required, it is good practice to use the name of the .xml file.
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
-```
-
-## MigXMLHelper.FileProperties
-
-
-This filter helper function can be used to filter the migration of files based on file size and date attributes.
-
-
Size: A numeral with B, KB, MB, or GB at the end. “5GB”, “1KB-1MB”
-
-
-
-
-
-
-``` syntax
-
-File_size
-
-
-
-
-
- %SYSTEMDRIVE%\DOCS\* [*]
-
-
-
-
-
-```
-
-## <namedElements>
-
-
-You can use the **<namedElements>** element to define named elements. You can use these elements in any component throughout your .xml file. For an example of how to use this element, see the MigApp.xml file.
-
-Syntax:
-
-<namedElements>
-
-</namedElements>
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<migration>](#migration)
-
-- **Child elements:**[<environment>](#bkmk-environment), [<rules>](#rules), [<conditions>](#conditions), [<detection>](#detection), <detects>, <detect>
-
-For an example of this element, see the MigApp.xml file.
-
-## <object>
-
-
-The <object> element represents a file or registry key.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<addObjects>](#addobjects)
-
-- **Required child elements:**[<location>](#location), [<attributes>](#attribute)
-
-- **Optional child elements:**[<bytes>](#bytes)
-
-Syntax:
-
-<object>
-
-</object>
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
-
-
-```
-
-## <objectSet>
-
-
-The <objectSet> element contains a list of object patterns ; for example, file paths, registry locations, and so on. Any child <conditions> elements will be evaluated first. If all child <conditions> elements return FALSE, the <objectSet> element will evaluate to an empty set. For each parent element, there can be only multiple <objectSet> elements.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<variable>](#variable), [<content>](#content), [<include>](#include), [<exclude>](#exclude), [<merge>](#merge), [<contentModify>](#contentmodify), [<locationModify>](#locationmodify), [<destinationCleanup>](#destinationcleanup), [<includeAttributes>](#includeattributes), [<excludeAttributes>](#excludeattributes), [<unconditionalExclude>](#unconditionalexclude), <detect>
-
-- **Required child elements:** either [<script>](#script) or [<pattern>](#pattern)
-
-- **Optional child elements:**[<content>](#content), [conditions](#conditions), <condition>
-
-Syntax:
-
-<objectSet>
-
-</objectSet>
-
-The following example is from the MigUser.xml file:
-
-``` syntax
-
- My Music
-
- %CSIDL_MYMUSIC%
-
-
-
-
- MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")
-
-
-
-
-
- %CSIDL_MYMUSIC%\* [*]
-
-
-
-
- %CSIDL_MYMUSIC%\ [desktop.ini]
-
-
-
-
-
-```
-
-## <path>
-
-
-This is an internal USMT element. Do not use this element.
-
-## <paths>
-
-
-This is an internal USMT element. Do not use this element.
-
-## <pattern>
-
-
-You can use this element to specify multiple objects. You can specify multiple <pattern> elements for each <objectSet> element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with <script> instead. GenerateDrivePatterns is basically the same as a <pattern> rule, without the drive letter specification. For example, the following two lines of code are similar:
-
-``` syntax
-C:\Folder\* [Sample.doc]
-
-```
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<objectSet>](#objectset)
-
-- **Child elements:** none but *Path* \[*object*\] must be valid.
-
-Syntax:
-
-<pattern type="*typeID*">*Path* \[*object*\]</pattern>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
type
-
Yes
-
typeID can be Registry, File, or Ini. If typeId is Ini, then you cannot have a space between Path and object. For example, the following is correct when type="Ini":
A valid registry or file path pattern, followed by at least one space, followed by brackets [] that contain the object to be migrated.
-
-
Path can contain the asterisk () wildcard character or can be an Recognized Environment Variables. You cannot use the question mark as a wildcard character.You can use HKCU and HKLM to refer to HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE respectively.
-
Object can contain the asterisk () wildcard character. However, you cannot use the question mark as a wildcard character. For example:
-
C:\Folder\ [] enumerates all files in C:<em>Path but no subfolders of C:\Folder.
-
C:\Folder* [] enumerates all files and subfolders of C:\Folder.
-
C:\Folder\ [*.mp3] enumerates all .mp3 files in C:\Folder.
-
C:\Folder\ [Sample.doc] enumerates only the Sample.doc file located in C:\Folder.
-
-Note
If you are migrating a file that has a square bracket character ([ or ]) in the file name, you must insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", you must specify <pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.
-
-
-
-
-
-
-
-
-
-
-
-For example:
-
-- To migrate a single registry key:
-
- ``` syntax
- HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]
- ```
-
-- To migrate the EngineeringDrafts folder and any subfolders from the C: drive:
-
- ``` syntax
- C:\EngineeringDrafts\* [*]
- ```
-
-- To migrate only the EngineeringDrafts folder, excluding any subfolders, from the C: drive:
-
- [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
-
-- To migrate the Sample.doc file from C:\\EngineeringDrafts:
-
- ``` syntax
- C:\EngineeringDrafts\ [Sample.doc]
- ```
-
-- To migrate the Sample.doc file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated.
-
- ``` syntax
- C:\* [Sample.doc]
- ```
-
-- For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), [Include Files and Settings](usmt-include-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
-
-## <processing>
-
-
-You can use this element to run a script during a specific point within the migration process. Return values are not expected from the scripts that you specify, and if there are return values, they will be ignored.
-
-- **Number of occurrences:** unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Required child element:**[<script>](#script)
-
-Syntax:
-
-<processing when="pre-scan|scan-success|post-scan|pre-apply|apply-success|post-apply">
-
-</processing>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
when
-
Yes
-
Indicates when the script should be run. This value can be one of the following:
-
-
pre-scan means before the scanning process begins.
-
scan-success means after the scanning process has finished successfully.
-
post-scan means after the scanning process has finished, whether it was successful or not.
-
pre-apply means before the apply process begins.
-
apply-success means after the apply process has finished successfully.
-
post-apply means after the apply process has finished, whether it was successful or not.
-
-
-
-
-
-
-
-## <plugin>
-
-
-This is an internal USMT element. Do not use this element.
-
-## <role>
-
-
-The <role> element is required in a custom .xml file. By specifying the <role> element, you can create a concrete component. The component will be defined by the parameters specified at the <component> level, and with the role that you specify here.
-
-- **Number of occurrences:** Each <component> can have one, two or three child <role> elements.
-
-- **Parent elements:**[<component>](#component), [<role>](#role)
-
-- **Required child elements:**[<rules>](#rules)
-
-- **Optional child elements:**[<environment>](#bkmk-environment), [<detection>](#detection), [<component>](#component), [<role>](#role), <detects>, <plugin>,
-
-Syntax:
-
-<role role="Container|Binaries|Settings|Data">
-
-</role>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
role
-
Yes
-
Defines the role for the component. Role can be one of:
-
-
Container
-
Binaries
-
Settings
-
Data
-
-
You can either:
-
-
Specify up to three <role> elements within a <component> — one “Binaries” role element, one “Settings” role element and one “Data” role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter.
-
Specify one “Container” <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example:
-
-
-
-The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file:
-
-``` syntax
-
- Start Menu
-
- %CSIDL_STARTMENU%
-
-
-
-
- MigXmlHelper.DoesObjectExist("File","%CSIDL_STARTMENU%")
-
-
-
-
-
- %CSIDL_STARTMENU%\* [*]
-
-
-
-
- %CSIDL_STARTMENU% [desktop.ini]
- %CSIDL_STARTMENU%\* [*]
-
-
-
-
-
-```
-
-## <rules>
-
-
-The <rules> element is required in a custom .xml file. This element contains rules that will run during the migration if the parent <component> element is selected, unless the child <conditions> element, if present, evaluates to FALSE. For each <rules> element there can be multiple child <rules> elements.
-
-- **Number of occurrences:** unlimited
-
-- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements)
-
-- **Required child elements:**[<include>](#include)
-
-- **Optional child elements:**[<rules>](#rules), [<exclude>](#exclude), [<unconditionalExclude>](#unconditionalexclude),[<merge>](#merge), [<contentModify>](#contentmodify), [<locationModify>](#locationmodify), [<destinationCleanup>](#destinationcleanup), [<addObjects>](#addobjects), [<externalProcess>](#externalprocess), [<processing>](#processing), [<includeAttributes>](#includeattributes), [<excludeAttributes>](#excludeattributes), [conditions](#conditions), <detects>
-
-Syntax:
-
-<rules name="*ID*" context="User|System|UserAndSystem">
-
-</rules>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
name
-
Yes, when <rules> is a child to <namedElements>
-
No, when <rules> is a child to any other element
-
When ID is specified, any child elements are not processed. Instead, any other <rules> elements with the same name that are declared within <namedElements> are processed.
-
-
-
context
-
No
-
(default = UserAndSystem)
-
Defines the scope of this parameter — whether to process this component in the context of the specific user, across the entire operating system, or both.
-
The largest possible scope is set by the component element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it has a context of User. If <rules> had a context of System, it would act as though <rules> was not there.
-
-
User. Evaluates the variables for each user.
-
System. Evaluates the variables only once for the system.
-
UserAndSystem. Evaluates the variables for the entire operating system and each user.
-
-
-
-
-
-
-
-The following example is from the MigUser.xml file:
-
-``` syntax
-
- My Music
-
- %CSIDL_MYMUSIC%
-
-
-
-
- MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")
-
-
-
-
-
- %CSIDL_MYMUSIC%\* [*]
-
-
-
-
- %CSIDL_MYMUSIC%\ [desktop.ini]
-
-
-
-
-
-```
-
-## <script>
-
-
-The return value that is required by <script> depends on the parent element.
-
-**Number of occurrences:** Once for [<variable>](#variable), unlimited for [<objectSet>](#objectset) and [<processing>](#processing)
-
-**Parent elements:**[<objectSet>](#objectset), [<variable>](#variable), [<processing>](#processing)
-
-**Child elements:** none
-
-**Syntax and helper functions:**
-
-- General Syntax: <script>*ScriptWithArguments*</script>
-
-- You can use [GetStringContent](#scriptfunctions) when <script> is within <variable>.
-
- Syntax: <script>MigXmlHelper.GetStringContent("*ObjectType*","*EncodedLocationPattern*", "*ExpandContent*")</script>
-
- Example: ``
-
-- You can use [GenerateUserPatterns](#scriptfunctions) when <script> is within <objectSet>.
-
- Syntax: <script>MigXmlHelper.GenerateUserPatterns("*ObjectType*","*EncodedLocationPattern*","*ProcessCurrentUser*")</script>
-
- Example: ``
-
-- You can use [GenerateDrivePatterns](#scriptfunctions) when <script> is within <objectSet>.
-
- Syntax: <script>MigXmlHelper.GenerateDrivePatterns("*PatternSegment*","*DriveType*")</script>
-
- Example: ``
-
-- You can use the [Simple executing scripts](#scriptfunctions) with <script> elements that are within <processing> elements: AskForLogoff, ConvertToShortFileName, KillExplorer, RemoveEmptyDirectories, RestartExplorer, RegisterFonts, StartService, StopService, SyncSCM.
-
- Syntax: <script>MigXmlHelper.*ExecutingScript*</script>
-
- Example: ``
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
ScriptWithArguments
-
Yes
-
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
-
The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
-
The return value that is required by <script> depends on the parent element.
-
-
When used within <variable>, the return value must be a string.
-
When used within <objectSet>, the return value must be a two-dimensional array of strings.
-
When used within <location>, the return value must be a valid location that aligns with the type attribute of <location>. For example, if <location type="File">, the child script element, if specified, must be a valid file location.
-
-Note
If you are migrating a file that has a bracket character ([ or ]) in the file name, insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", specify <pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.
-
-
-
-
-
-
-
-
-
-
-
-Examples:
-
-To migrate the Sample.doc file from any drive on the source computer, use <script> as follows. If multiple files exist with the same name, all such files will get migrated.
-
-``` syntax
-
-```
-
-For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
-
-### <script> functions
-
-You can use the following functions with the <script> element
-
-- [String and pattern generating functions](#stringgeneratingfunctions)
-
-- [Simple executing scripts](#simple)
-
-### String and pattern generating functions
-
-These functions return either a string or a pattern.
-
-- **GetStringContent**
-
- You can use GetStringContent with <script> elements that are within <variable> elements. If possible, this function returns the string representation of the given object. Otherwise, it returns NULL. For file objects this function always returns NULL.
-
- Syntax: GetStringContent("*ObjectType*","*EncodedLocationPattern*", "*ExpandContent*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
ObjectType
-
Yes
-
The type of object. Can be Registry or Ini (for an .ini file).
-
-
-
EncodedLocationPattern
-
Yes
-
-
If type of object is Registry, EncodedLocationPattern must be a valid registry path. For example, HKLM\SOFTWARE\MyKey[].
-
If the type of object is Ini, then EncodedLocationPattern must be in the following format:
-
IniFilePath|SectionName[SettingName]
-
-
-
-
ExpandContent
-
No (default=TRUE)
-
Can be TRUE or FALSE. If FALSE, then the given location will not be expanded before it is returned.
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
-
-```
-~~~
-
-- **GenerateDrivePatterns**
-
- The GenerateDrivePatterns function will iterate all of the available drives and select the ones that match the requested drive type. It will then concatenate the selected drives with the end part of *PatternSegment* to form a full encoded file pattern. For example, if *PatternSegment* is `Path [file.txt]` and DriveType is `Fixed`, then the function will generate `C:\Path [file.txt]`, and other patterns if there are fixed drives other than C:. You cannot specify environment variables with this function. You can use GenerateDrivePatterns with <script> elements that are within [<objectSet>](#objectset) that are within <include>/<exclude>.
-
- Syntax: GenerateDrivePatterns("*PatternSegment*","*DriveType*")
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
PatternSegment
-
Yes
-
The suffix of an encoded pattern. It will be concatenated with a drive specification, such as "c:", to form a complete encoded file pattern. For example, "* [*.doc]". PatternSegment cannot be an environment variable.
-
-
-
DriveType
-
Yes
-
The drive type for which the patterns are to be generated. You can specify one of:
-
-
Fixed
-
CDROM
-
Removable
-
Remote
-
-
-
-
-
-
-
-~~~
-See the last component in the MigUser.xml file for an example of this element.
-~~~
-
-- **GenerateUserPatterns**
-
- The function will iterate through all users that are being migrated, excluding the currently processed user if <ProcessCurrentUser> is FALSE, and will expand the specified pattern in the context of each user. For example, if users A, B and C have profiles in C:\\Documents and Settings), by calling `GenerateUserPattens('File','%userprofile% [*.doc]','TRUE')`, the helper function will generate the following three patterns:
-
- - "C:\\Documents and Settings\\A\\\* \[\*.doc\]"
-
- - "C:\\Documents and Settings\\B\\\* \[\*.doc\]"
-
- - "C:\\Documents and Settings\\C\\\* \[\*.doc\]"
-
- Syntax:GenerateUserPatterns("*ObjectType*","*EncodedLocationPattern*","*ProcessCurrentUser*")
-
-
Can be TRUE or FALSE. Indicates if the patterns should be generated for the current user.
-
-
-
-
-
-
-~~~
-**Example:**
-
-If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X’s profile.
-
-The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
-
-``` syntax
-
-
-
-
-
-
-
-
- %ProfilesFolder%\* [*.doc]
-
-
-
-
-
-
- %ProfilesFolder%\* [*.doc]
-
-
-
-
-
-
-
-
-```
-~~~
-
-### MigXmlHelper.GenerateDocPatterns
-
-This helper function invokes the document finder to scan the system for all files that can be migrated. It can be invoked in either System or User context to focus the scan.
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
ScanProgramFiles
-
No (default = FALSE)
-
Can be TRUE or FALSE. The ScanProgramFiles parameter determines whether or not the document finder scans the Program Files directory to gather registered file extensions for known applications. For example, when set to TRUE it will discover and migrate .jpg files under the Photoshop directory, if .jpg is a file extension registered to Photoshop.
-
-
-
IncludePatterns
-
No (default = TRUE)
-
Can be TRUE or FALSE. TRUE will generate include patterns and can be added under the <include> element. FALSE will generate exclude patterns and can be added under the <exclude> element.
-
-
-
SystemDrive
-
No (default = FALSE)
-
Can be TRUE or FALSE. If TRUE, restricts all patterns to the system drive.
-
-
-
-
-
-
-``` syntax
-
-
- MigDocUser
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-### Simple executing scripts
-
-The following scripts have no return value. You can use the following errors with <script> elements that are within <processing> elements
-
-- **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example:
-
- ``` syntax
-
-
-
- ```
-
-- **ConvertToShortFileName(RegistryEncodedLocation)**. If *RegistryEncodedLocation* is the full path of an existing file, this function will convert the file to its short file name and then it will update the registry value.
-
-- **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example:
-
- ``` syntax
-
-
-
- ```
-
-- **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example:
-
- ``` syntax
-
-
-
- ```
-
-- **RemoveEmptyDirectories (DirectoryEncodedPattern).** Deletes any empty directories that match *DirectoryEncodedPattern* on the destination computer.
-
-- **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example:
-
- ``` syntax
-
-
-
- ```
-
-- **StartService (ServiceName, OptionalParam1, OptionalParam2,…).** Starts the service identified by *ServiceName. ServiceName* is the subkey in HKLM\\System\\CurrentControlSet\\Services that holds the data for the given service. The optional parameters, if any, will be passed to the StartService API. For more information, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=267898).
-
-- **StopService (ServiceName)**. Stops the service that is identified by *ServiceName. ServiceName* is the subkey in HKLM\\System\\CurrentControlSet\\Services that holds the data for the given service.
-
-- **SyncSCM(ServiceShortName).** Reads the Start type value from the registry (HKLM\\System\\CurrentControlSet\\Services\\ServiceShortName \[Start\]) after it is changed by the migration engine, and then synchronizes Service Control Manager (SCM) with the new value.
-
-## <text>
-
-
-You can use the <text> element to set a value for any environment variables that are inside one of the migration .xml files.
-
-- **Number of occurrences:** Once in each [<variable>](#variable) element.
-
-- **Parent elements:**[<variable>](#variable)
-
-- **Child elements:** None.
-
-Syntax:
-
-<text>*NormalText*</text>
-
-
-
-
-
-
-
-
-
Setting
-
Value
-
-
-
-
-
NormalText
-
This is interpreted as normal text.
-
-
-
-
-
-
-For example:
-
-``` syntax
-
- %CSIDL_COMMON_APPDATA%\QuickTime
-
-```
-
-## <unconditionalExclude>
-
-
-The <unconditionalExclude> element excludes the specified files and registry values from the migration, regardless of the other include rules in any of the migration .xml files or in the Config.xml file. The objects declared here will not be migrated because this element takes precedence over all other rules. For example, even if there are explicit <include> rules to include .mp3 files, if you specify to exclude them with this option, then they will not be migrated.
-
-Use this element if you want to exclude all .mp3 files from the source computer. Or, if you are backing up C:\\UserData using another method, you can exclude the entire folder from the migration. Use this element with caution, however, because if an application needs a file that you exclude, the application may not function properly on the destination computer.
-
-- **Number of occurrences:** Unlimited.
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Child elements:**[<objectSet>](#objectset)
-
-Syntax:
-
-<unconditionalExclude></unconditionalExclude>
-
-The following .xml file excludes all .mp3 files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md).
-
-``` syntax
-
-
- Test
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## <variable>
-
-
-The <variable> element is required in an <environment> element. For each <variable> element there must be one <objectSet>, <script>, or <text> element. The content of the <variable> element assigns a text value to the environment variable. This element has the following three options:
-
-1. If the <variable> element contains a <text> element, then the value of the variable element will be the value of the <text> element.
-
-2. If the <variable> element contains a <script> element and the invocation of the script produces a non-null string, then the value of the <variable> element will be the result of the script invocation.
-
-3. If the <variable> element contains an <objectSet> element and the evaluation of the <objectSet> element produces at least one object pattern, then the value of the first object to match the resulting object pattern will be the value of the variable element.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<environment>](#bkmk-environment)
-
-- **Required child elements:** either [<text>](#text), or [<script>](#script), or [<objectSet>](#objectset)
-
-Syntax:
-
-<variable name="*ID*" remap=TRUE|FALSE>
-
-</variable>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
name
-
Yes
-
ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component’s name to avoid namespace collisions. For example, if your component’s name is MyComponent, and you want a variable that is your component’s install path, you could specify MyComponent.InstallPath.
-
-
-
remap
-
No, default = FALSE
-
Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable’s value are automatically moved to where the environment variable points on the destination computer.
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
- HKLM\Software
-
-
-
-
-
-```
-
-## <version>
-
-
-The <version> element defines the version for the component, but does not affect the migration.
-
-- **Number of occurrences:** zero or one
-
-- **Parent elements:**[<component>](#component)
-
-- **Child elements:** none
-
-Syntax:
-
-<version>*ComponentVersion*</version>
-
-
-
-
-
-
-
-
-
-
Setting
-
Required?
-
Value
-
-
-
-
-
ComponentVersion
-
Yes
-
The version of the component, which can contain patterns.
-
-
-
-
-
-
-For example:
-
-``` syntax
-4.*
-```
-
-## <windowsObjects>
-
-
-The <windowsObjects> element is for USMT internal use only. Do not use this element.
-
-## Appendix
-
-
-### Specifying locations
-
-- **Specifying encoded locations**. The encoded location used in all of the helper functions is an unambiguous string representation for the name of an object. It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
-
- For example, specify the file C:\\Windows\\Notepad.exe like this: `c:\Windows[Notepad.exe]`. Similarly, specify the directory C:\\Windows\\System32 like this: `c:\Windows\System32`. (Notice the absence of the \[\] construct.)
-
- Representing the registry is very similar. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key will be `HKLM\SOFTWARE\MyKey[]`.
-
-- **Specifying location patterns**. You specify a location pattern in a way that is similar to how you specify an actual location. The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
-
- For example, the pattern `c:\Windows\*` will match the Windows directory and all subdirectories. But it will not match any of the files in those directories. To match the files as well, you must specify `c:\Windows\*[*]`.
-
-### Internal USMT functions
-
-The following functions are for internal USMT use only. Do not use them in an .xml file.
-
-- AntiAlias
-
-- ConvertScreenSaver
-
-- ConvertShowIEOnDesktop
-
-- ConvertToOfficeLangID
-
-- MigrateActiveDesktop
-
-- MigrateAppearanceUPM
-
-- MigrateDisplayCS
-
-- MigrateDisplaySS
-
-- MigrateIEAutoSearch
-
-- MigrateMouseUPM
-
-- MigrateSoundSysTray
-
-- MigrateTaskBarSS
-
-- SetPstPathInMapiStruc
-
-### Valid version tags
-
-You can use the following version tags with various helper functions:
-
-- “CompanyName”
-
-- “FileDescription”
-
-- “FileVersion”
-
-- “InternalName”
-
-- “LegalCopyright”
-
-- “OriginalFilename”
-
-- “ProductName”
-
-- “ProductVersion”
-
-The following version tags contain values that can be compared:
-
-- “FileVersion”
-
-- “ProductVersion”
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: XML Elements Library (Windows 10)
+description: XML Elements Library
+ms.assetid: f5af0f6d-c3bf-4a4c-a0ca-9db7985f954f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# XML Elements Library
+
+
+## Overview
+
+
+This topic describes the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT). It is assumed that you understand the basics of XML. .
+
+## In This Topic
+
+
+In addition to XML elements and helper functions, this topic describes how to specify encoded locations and locations patterns, functions that are for internal USMT use only, and the version tags that you can use with helper functions.
+
+- [Elements and helper functions](#elements)
+
+- [Appendix](#appendix)
+
+ - [Specifying locations](#locations)
+
+ - [Internal USMT functions](#internalusmtfunctions)
+
+ - [Valid version tags](#allowed)
+
+## Elements and Helper Functions
+
+
+The following table describes the XML elements and helper functions you can use with USMT.
+
+
+
+
+
+## <addObjects>
+
+
+The <addObjects> element emulates the existence of one or more objects on the source computer. The child <object> elements provide the details of the emulated objects. If the content is a <script> element, the result of the invocation will be an array of objects.
+
+- **Number of occurrences:** unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Required child elements:** [<object>](#object) In addition, you must specify [<location>](#location) and [<attribute>](#attribute) as child elements of this <object> element.
+
+- **Optional child elements:**[<conditions>](#conditions), <condition>, [<script>](#script)
+
+Syntax:
+
+<addObjects>
+
+</addObjects>
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+
+
+```
+
+## <attributes>
+
+
+The <attributes> element defines the attributes for a registry key or file.
+
+- **Number of occurrences:** once for each <object>
+
+- **Parent elements:**[<object>](#object)
+
+- **Child elements:** none
+
+Syntax:
+
+<attributes>*Content*</attributes>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
Content
+
Yes
+
The content depends on the type of object specified.
+
+
For files, the content can be a string containing any of the following attributes separated by commas:
+
+
Archive
+
Read-only
+
System
+
Hidden
+
+
For registry keys, the content can be one of the following types:
+
+
None
+
String
+
ExpandString
+
Binary
+
Dword
+
REG_SZ
+
+
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+```
+
+## <bytes>
+
+
+You must specify the <bytes> element only for files because, if <location> corresponds to a registry key or a directory, then <bytes> will be ignored.
+
+- **Number of occurrences:** zero or one
+
+- **Parent elements:**[<object>](#object)
+
+- **Child elements:** none
+
+Syntax:
+
+<bytes string="Yes|No" expand="Yes|No">*Content*</bytes>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
string
+
No, default is No
+
Determines whether Content should be interpreted as a string or as bytes.
+
+
+
expand
+
No (default = Yes
+
When the expand parameter is Yes, the content of the <bytes> element is first expanded in the context of the source computer and then interpreted.
+
+
+
Content
+
Yes
+
Depends on the value of the string.
+
+
When the string is Yes: the content of the <bytes> element is interpreted as a string.
+
When the string is No: the content of the <bytes> element is interpreted as bytes. Each two characters represent the hexadecimal value of a byte. For example, "616263" is the representation for the "abc" ANSI string. A complete representation of the UNICODE string "abc" including the string terminator would be: "6100620063000000".
+
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+```
+
+## <commandLine>
+
+
+You might want to use the <commandLine> element if you want to start or stop a service or application before or after you run the ScanState and LoadState tools.
+
+- **Number of occurrences:** unlimited
+
+- **Parent elements:**[<externalProcess>](#externalprocess)
+
+- **Child elements:** none****
+
+Syntax:
+
+<commandLine>*CommandLineString*</commandLine>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
CommandLineString
+
Yes
+
A valid command line.
+
+
+
+
+
+
+## <component>
+
+
+The <component> element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft® Office 2003" is a component that contains another component, "Microsoft Office Access® 2003". You can use the child elements to define the component.
+
+A component can be nested inside another component; that is, the <component> element can be a child of the <role> element within the <component> element in two cases: 1) when the parent <component> element is a container or 2) if the child <component> element has the same role as the parent <component> element.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<migration>](#migration), [<role>](#role)
+
+- **Required child elements:**[<role>](#role), [<displayName>](#displayname)
+
+- **Optional child elements:**[<manufacturer>](#manufacturer), [<version>](#version), [<description>](#description), [<paths>](#paths), [<icon>](#icon), [<environment>](#bkmk-environment), [<extensions>](#extensions)
+
+Syntax:
+
+<component type="System|Application|Device|Documents" context="User|System|UserAndSystem" defaultSupported="TRUE|FALSE|YES|NO"
+
+hidden="Yes|No">
+
+</component>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
type
+
Yes
+
You can use the following to group settings, and define the type of the component.
+
+
System: Operating system settings. All Windows® components are defined by this type.
+
When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.
+
Application: Settings for an application.
+
Device: Settings for a device.
+
Documents: Specifies files.
+
+
+
+
context
+
No
+
Default = UserAndSystem
+
Defines the scope of this parameter; that is, whether to process this component in the context of the specific user, across the entire operating system, or both.
+
The largest possible scope is set by the <component> element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it has a context of User. If a <rules> element has a context of System, it would act as though the <rules> element is not there.
+
+
User. Evaluates the component for each user.
+
System. Evaluates the component only once for the system.
+
UserAndSystem. Evaluates the component for the entire operating system and each user.
+
+
+
+
defaultSupported
+
No
+
(default = TRUE)
+
Can be any of TRUE, FALSE, YES or NO. If this parameter is FALSE (or NO), the component will not be migrated unless there is an equivalent component on the destination computer.
+
When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that are specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name or the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.
+
+
+
hidden
+
+
This parameter is for internal USMT use only.
+
+
+
+
+
+
+For an example, see any of the default migration .xml files.
+
+## <condition>
+
+
+Although the <condition> element under the <detect>, <objectSet>, and <addObjects> elements is supported, we recommend that you do not use it. This element might be deprecated in future versions of USMT, requiring you to rewrite your scripts. We recommend that, if you need to use a condition within the <objectSet> and <addObjects> elements, you use the more powerful [<conditions>](#conditions) element, which allows you to formulate complex Boolean statements.
+
+The <condition> element has a Boolean result. You can use this element to specify the conditions in which the parent element will be evaluated. If any of the present conditions return FALSE, the parent element will not be evaluated.
+
+- **Number of occurrences:** unlimited.
+
+- **Parent elements:**[<conditions>](#conditions), <detect>, <objectSet>, <addObjects>
+
+- **Child elements:** none
+
+- **Helper functions:** You can use the following [<condition> functions](#conditionfunctions) with this element: DoesOSMatch, IsNative64Bit(), IsOSLaterThan, IsOSEarlierThan, DoesObjectExist, DoesFileVersionMatch, IsFileVersionAbove, IsFileVersionBelow, IsSystemContext, DoesStringContentEqual, DoesStringContentContain, IsSameObject, IsSameContent, and IsSameStringContent.
+
+Syntax:
+
+<condition negation="Yes|No">*ScriptName*</condition>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
negation
+
No
+
Default = No
+
"Yes" reverses the True/False value of the condition.
+
+
+
ScriptName
+
Yes
+
A script that has been defined within this migration section.
+
+
+
+
+
+
+For example,
+
+In the code sample below, the <condition> elements, A and B, are joined together by the AND operator because they are in separate <conditions> sections. For example:
+
+``` xml
+
+
+ A
+
+
+ B
+
+
+```
+
+However, in the code sample below, the <condition> elements, A and B, are joined together by the OR operator because they are in the same <conditions> section.
+
+``` xml
+
+
+ A
+ B
+
+
+```
+
+### <condition> functions
+
+The <condition> functions return a Boolean value. You can use these elements in <addObjects> conditions.
+
+- [Operating system version functions](#operatingsystemfunctions)
+
+- [Object content functions](#objectcontentfunctions)
+
+### Operating system version functions
+
+- **DoesOSMatch**
+
+ All matches are case insensitive.
+
+ Syntax: DoesOSMatch("*OSType*","*OSVersion*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
OSType
+
Yes
+
The only valid value for this setting is NT. Note, however, that you must set this setting for the <condition> functions to work correctly.
+
+
+
OSVersion
+
Yes
+
The major version, minor version, build number and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version with a pattern. For example, 5.0.*.
+
+
+
+
+
+
+~~~
+For example:
+
+<condition>MigXmlHelper.DoesOSMatch("NT","\*")</condition>
+~~~
+
+- **IsNative64Bit**
+
+ The IsNative64Bit function returns TRUE if the migration process is running as a native 64-bit process; that is, a process running on a 64-bit system without Windows on Windows (WOW). Otherwise, it returns FALSE.
+
+- **IsOSLaterThan**
+
+ All comparisons are case insensitive.
+
+ Syntax: IsOSLaterThan("*OSType*","*OSVersion*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
OSType
+
Yes
+
Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x”, the result will be FALSE.
+
+
+
OSVersion
+
Yes
+
The major version, minor version, build number, and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.
+
The IsOSLaterThan function returns TRUE if the current operating system is later than or equal to OSVersion.
+
+
+
+
+
+
+~~~
+For example:
+
+<condition negation="Yes">MigXmlHelper.IsOSLaterThan("NT","6.0")</condition>
+~~~
+
+- **IsOSEarlierThan**
+
+ All comparisons are case insensitive.
+
+ Syntax: IsOSEarlierThan("*OSType*","*OSVersion*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
OSType
+
Yes
+
Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x” the result will be FALSE.
+
+
+
OSVersion
+
Yes
+
The major version, minor version, build number, and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.
+
The IsOSEarlierThan function returns TRUE if the current operating system is earlier than OSVersion.
+
+
+
+
+
+
+### Object content functions
+
+- **DoesObjectExist**
+
+ The DoesObjectExist function returns TRUE if any object exists that matches the location pattern. Otherwise, it returns FALSE. The location pattern is expanded before attempting the enumeration.
+
+ Syntax: DoesObjectExist("*ObjectType*","*EncodedLocationPattern*")
+
+
+
+
+
+~~~
+For an example of this element, see the MigApp.xml file.
+~~~
+
+- **DoesFileVersionMatch**
+
+ The pattern check is case insensitive.
+
+ Syntax: DoesFileVersionMatch("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
EncodedFileLocation
+
Yes
+
The location pattern for the file that will be checked. Environment variables are allowed.
+
+
+
+~~~
+For example:
+
+<condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","6.\*")</condition>
+
+<condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","7.\*")</condition>
+~~~
+
+- **IsFileVersionAbove**
+
+ The IsFileVersionAbove function returns TRUE if the version of the file is higher than *VersionValue*.
+
+ Syntax: IsFileVersionAbove("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
EncodedFileLocation
+
Yes
+
The location pattern for the file that will be checked. Environment variables are allowed.
The value to compare to. You cannot specify a pattern.
+
+
+
+
+
+
+- **IsSystemContext**
+
+ The IsSystemContext function returns TRUE if the current context is "System". Otherwise, it returns FALSE.
+
+ Syntax: IsSystemContext()
+
+- **DoesStringContentEqual**
+
+ The DoesStringContentEqual function returns TRUE if the string representation of the given object is identical to `StringContent`.
+
+ Syntax: DoesStringContentEqual("*ObjectType*","*EncodedLocation*","*StringContent*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
ObjectType
+
Yes
+
Defines the type of object. Can be File or Registry.
+
+
+
EncodedLocationPattern
+
Yes
+
The encoded location for the object that will be examined. You can specify environment variables.
+
+
+
StringContent
+
Yes
+
The string that will be checked against.
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+MigXmlHelper.DoesStringContentEqual("File","%USERNAME%","")
+```
+~~~
+
+- **DoesStringContentContain**
+
+ The DoesStringContentContain function returns TRUE if there is at least one occurrence of *StrToFind* in the string representation of the object.
+
+ Syntax: DoesStringContentContain("*ObjectType*","*EncodedLocation*","*StrToFind*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
ObjectType
+
Yes
+
Defines the type of object. Can be File or Registry.
+
+
+
EncodedLocationPattern
+
Yes
+
The encoded location for the object that will be examined. You can specify environment variables.
+
+
+
StrToFind
+
Yes
+
A string that will be searched inside the content of the given object.
+
+
+
+
+
+
+- **IsSameObject**
+
+ The IsSameObject function returns TRUE if the given encoded locations resolve to the same physical object. Otherwise, it returns FALSE.
+
+ Syntax: IsSameObject("*ObjectType*","*EncodedLocation1*","*EncodedLocation2*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
ObjectType
+
Yes
+
Defines the type of object. Can be File or Registry.
+
+
+
EncodedLocation1
+
Yes
+
The encoded location for the first object. You can specify environment variables.
+
+
+
EncodedLocation2
+
Yes
+
The encoded location for the second object. You can specify environment variables.
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+ MigXmlHelper.IsSameObject("File","%CSIDL_FAVORITES%","%CSIDL_COMMON_FAVORITES%")
+ %CSIDL_FAVORITES%\* [*]
+
+```
+~~~
+
+- **IsSameContent**
+
+ The IsSameContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be compared byte by byte.
+
+ Syntax: IsSameContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
ObjectType1
+
Yes
+
Defines the type of the first object. Can be File or Registry.
+
+
+
EncodedLocation1
+
Yes
+
The encoded location for the first object. You can specify environment variables.
+
+
+
ObjectType2
+
Yes
+
Defines the type of the second object. Can be File or Registry.
+
+
+
EncodedLocation2
+
Yes
+
The encoded location for the second object. You can specify environment variables.
+
+
+
+
+
+
+- **IsSameStringContent**
+
+ The IsSameStringContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be interpreted as a string.
+
+ Syntax: IsSameStringContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
ObjectType1
+
Yes
+
Defines the type of the first object. Can be File or Registry.
+
+
+
EncodedLocation1
+
Yes
+
The encoded location for the first object. You can specify environment variables.
+
+
+
ObjectType2
+
Yes
+
Defines the type of the second object. Can be File or Registry.
+
+
+
EncodedLocation2
+
Yes
+
The encoded location for the second object. You can specify environment variables.
+
+
+
+
+
+
+## <conditions>
+
+
+The <conditions> element returns a Boolean result that is used to specify the conditions in which the parent element is evaluated. USMT evaluates the child elements, and then joins their results using the operators AND or OR according to the **operation** parameter.
+
+- **Number of occurrences:** Unlimited inside another <conditions> element. Limited to one occurrence in [<detection>](#detection), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset)
+
+- **Parent elements:**[<conditions>](#conditions), [<detection>](#detection), [<environment>](#bkmk-environment), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset)
+
+- **Child elements:**[<conditions>](#conditions), [<condition>](#condition)
+
+Syntax:
+
+<conditions operation="AND|OR">
+
+</conditions>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
operation
+
No, default = AND
+
Defines the Boolean operation that is performed on the results that are obtained from the child elements.
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+ MigXmlHelper.IsNative64Bit()
+
+
+ HKLM\Software
+
+
+```
+
+## <content>
+
+
+You can use the <content> element to specify a list of object patterns to obtain an object set from the source computer. Each <objectSet> within a <content> element is evaluated. For each resulting object pattern list, the objects that match it are enumerated and their content is filtered by the filter parameter. The resulting string array is the output for the <content> element. The filter script returns an array of locations. The parent <objectSet> element can contain multiple child <content> elements.
+
+- **Number of occurrences:** unlimited
+
+- **Parent elements:**[<objectSet>](#objectset)
+
+- **Child elements:**[<objectSet>](#objectset)
+
+- **Helper functions:** You can use the following [<content> functions](#contentfunctions) with this element: ExtractSingleFile, ExtractMultipleFiles, and ExtractDirectory.
+
+Syntax:
+
+<content filter="*ScriptInvocation*">
+
+</content>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
filter
+
Yes
+
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
+
The script is called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
+
+
+
+
+
+
+### <content> functions
+
+The following functions generate patterns out of the content of an object. These functions are called for every object that the parent <ObjectSet> element is enumerating.
+
+- **ExtractSingleFile**
+
+ If the registry value is a MULTI-SZ, only the first segment is processed. The returned pattern is the encoded location for a file that must exist on the system. If the specification is correct in the registry value, but the file does not exist, this function returns NULL.
+
+ Syntax: ExtractSingleFile(*Separators*,*PathHints*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
Separators
+
Yes
+
A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You can specify NULL.
+
+
+
PathHints
+
Yes
+
A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL.
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+```
+
+and
+
+``` xml
+
+```
+~~~
+
+- **ExtractMultipleFiles**
+
+ The ExtractMultipleFiles function returns multiple patterns, one for each file that is found in the content of the given registry value. If the registry value is a MULTI-SZ, the MULTI-SZ separator is considered a separator by default. therefore, for MULTI-SZ, the <Separators> argument must be NULL.
+
+ The returned patterns are the encoded locations for files that must exist on the source computer. If the specification is correct in the registry value but the file does not exist, it will not be included in the resulting list.
+
+ Syntax: ExtractMultipleFiles(*Separators*,*PathHints*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
Separators
+
Yes
+
A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. This parameter must be NULL when processing MULTI-SZ registry values.
+
+
+
PathHints
+
Yes
+
A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL.
+
+
+
+
+
+
+- **ExtractDirectory**
+
+ The ExtractDirectory function returns a pattern that is the encoded location for a directory that must exist on the source computer. If the specification is correct in the registry value, but the directory does not exist, this function returns NULL. If it is processing a registry value that is a MULTI-SZ, only the first segment will be processed.
+
+ Syntax: ExtractDirectory(*Separators*,*LevelsToTrim*,*PatternSuffix*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
Separators
+
No
+
A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You must specify NULL when processing MULTI-SZ registry values.
+
+
+
LevelsToTrim
+
Yes
+
The number of levels to delete from the end of the directory specification. Use this function to extract a root directory when you have a registry value that points inside that root directory in a known location.
+
+
+
PatternSuffix
+
Yes
+
The pattern to add to the directory specification. For example, * [*].
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+
+ %HklmWowSoftware%\Classes\Software\RealNetworks\Preferences\DT_Common []
+
+
+
+```
+~~~
+
+## <contentModify>
+
+
+The <contentModify> element modifies the content of an object before it is written to the destination computer. For each <contentModify> element there can be multiple <objectSet> elements. This element returns the new content of the object that is being processed.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Required child elements:**[<objectSet>](#objectset)
+
+- **Helper functions**: You can use the following [<contentModify> functions](#contentmodifyfunctions) with this element: ConvertToDWORD, ConvertToString, ConvertToBinary, KeepExisting, OffsetValue, SetValueByTable, MergeMultiSzContent, and MergeDelimitedContent.
+
+Syntax:
+
+<contentModify script="*ScriptInvocation*">
+
+</contentModify>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
script
+
Yes
+
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
+
The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
+
+
+
+
+
+
+### <contentModify> functions
+
+The following functions change the content of objects as they are migrated. These functions are called for every object that the parent <ObjectSet> element is enumerating.
+
+- **ConvertToDWORD**
+
+ The ConvertToDWORD function converts the content of registry values that are enumerated by the parent <ObjectSet> element to a DWORD. For example, ConvertToDWORD will convert the string "1" to the DWORD 0x00000001. If the conversion fails, then the value of DefaultValueOnError will be applied.
+
+ Syntax: ConvertToDWORD(*DefaultValueOnError*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
DefaultValueOnError
+
No
+
The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails.
+
+
+
+
+
+
+- **ConvertToString**
+
+ The ConvertToString function converts the content of registry values that match the parent <ObjectSet> element to a string. For example, it will convert the DWORD 0x00000001 to the string "1". If the conversion fails, then the value of DefaultValueOnError will be applied.
+
+ Syntax: ConvertToString(*DefaultValueOnError*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
DefaultValueOnError
+
No
+
The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails.
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+ HKCU\Control Panel\Desktop [ScreenSaveUsePassword]
+
+
+```
+~~~
+
+- **ConvertToBinary**
+
+ The ConvertToBinary function converts the content of registry values that match the parent <ObjectSet> element to a binary type.
+
+ Syntax: ConvertToBinary ()
+
+- **OffsetValue**
+
+ The OffsetValue function adds or subtracts *Value* from the value of the migrated object, and then writes the result back into the registry value on the destination computer. For example, if the migrated object is a DWORD with a value of 14, and the *Value* is "-2", the registry value will be 12 on the destination computer.
+
+ Syntax: OffsetValue(*Value*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
Value
+
Yes
+
The string representation of a numeric value. It can be positive or negative. For example, OffsetValue(2).
+
+
+
+
+
+
+- **SetValueByTable**
+
+ The SetValueByTable function matches the value from the source computer to the source table. If the value is there, the equivalent value in the destination table will be applied. If the value is not there, or if the destination table has no equivalent value, the *DefaultValueOnError* will be applied.
+
+ Syntax: SetValueByTable(*SourceTable*,*DestinationTable*,*DefaultValueOnError*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
SourceTable
+
Yes
+
A list of values separated by commas that are possible for the source registry values.
+
+
+
DestinationTable
+
No
+
A list of translated values separated by commas.
+
+
+
DefaultValueOnError
+
No
+
The value that will be applied to the destination computer if either 1) the value for the source computer does not match SourceTable, or 2) DestinationTable has no equivalent value.
+
If DefaultValueOnError is NULL, the value will not be changed on the destination computer.
+
+
+
+
+
+
+- **KeepExisting**
+
+ You can use the KeepExisting function when there are conflicts on the destination computer. This function will keep (not overwrite) the specified attributes for the object that is on the destination computer.
+
+ Syntax: KeepExisting("*OptionString*","*OptionString*","*OptionString*",…)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
OptionString
+
Yes
+
OptionString can be Security, TimeFields, or FileAttrib:Letter. You can specify one of each type of OptionStrings. Do not specify multiple OptionStrings with the same value. If you do, the right-most option of that type will be kept. For example, do not specify ("FileAttrib:H", "FileAttrib:R") because only Read-only will be evaluated. Instead specify ("FileAttrib:HR") and both Hidden and Read-only attributes will be kept on the destination computer.
+
+
Security. Keeps the destination object's security descriptor if it exists.
+
TimeFields. Keeps the destination object's time stamps. This parameter is for files only.
+
FileAttrib:Letter. Keeps the destination object's attribute value, either On or OFF, for the specified set of file attributes. This parameter is for files only. The following are case-insensitive, but USMT will ignore any values that are invalid, repeated, or if there is a space after "FileAttrib:". You can specify any combination of the following attributes:
+
+
A = Archive
+
C = Compressed
+
E = Encrypted
+
H = Hidden
+
I = Not Content Indexed
+
O = Offline
+
R = Read-Only
+
S = System
+
T = Temporary
+
+
+
+
+
+
+
+
+- **MergeMultiSzContent**
+
+ The MergeMultiSzContent function merges the MULTI-SZ content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. `Instruction` and `String` either remove or add content to the resulting MULTI-SZ. Duplicate elements will be removed.
+
+ Syntax: MergeMultiSzContent (*Instruction*,*String*,*Instruction*,*String*,…)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
Instruction
+
Yes
+
Can be one of the following:
+
+
Add. Adds the corresponding String to the resulting MULTI-SZ if it is not already there.
+
Remove. Removes the corresponding String from the resulting MULTI-SZ.
+
+
+
+
String
+
Yes
+
The string to be added or removed.
+
+
+
+
+
+
+- **MergeDelimitedContent**
+
+ The MergeDelimitedContent function merges the content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. The content is considered a list of elements separated by one of the characters in the Delimiters parameter. Duplicate elements will be removed.
+
+ Syntax: MergeDelimitedContent(*Delimiters*,*Instruction*,*String*,…)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
Delimiters
+
Yes
+
A single character that will be used to separate the content of the object that is being processed. The content will be considered as a list of elements that is separated by the Delimiters.
+
For example, "." will separate the string based on a period.
+
+
+
Instruction
+
Yes
+
Can one of the following:
+
+
Add. Adds String to the resulting MULTI-SZ if it is not already there.
+
Remove. Removes String from the resulting MULTI-SZ.
+
+
+
+
String
+
Yes
+
The string to be added or removed.
+
+
+
+
+
+
+## <description>
+
+
+The <description> element defines a description for the component but does not affect the migration.
+
+- **Number of occurrences:** zero or one
+
+- **Parent elements:**[<component>](#component)
+
+- **Child elements:** none
+
+Syntax:
+
+<description>*ComponentDescription*</description>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
ComponentDescription
+
Yes
+
The description of the component.
+
+
+
+
+
+
+The following code sample shows how the <description> element defines the "My custom component" description.:
+
+``` xml
+My custom component
+```
+
+## <destinationCleanup>
+
+
+The <destinationCleanup> element deletes objects, such as files and registry keys, from the destination computer before applying the objects from the source computer. This element is evaluated only when the LoadState tool is run on the destination computer. That is, this element is ignored by the ScanState tool.
+
+**Important**
+Use this option with extreme caution because it will delete objects from the destination computer.
+
+
+
+For each <destinationCleanup> element there can be multiple <objectSet> elements. A common use for this element is if there is a missing registry key on the source computer and you want to ensure that a component is migrated. In this case, you can delete all of the component's registry keys before migrating the source registry keys. This will ensure that if there is a missing key on the source computer, it will also be missing on the destination computer.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Child elements:**[<objectSet>](#objectset) (Note that the destination computer will delete all child elements.)
+
+Syntax:
+
+<destinationCleanup filter=*ScriptInvocation*>
+
+</destinationCleanup>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
filter
+
Yes
+
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
+
The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
+
+
+
+
+
+
+For example:
+
+``` xml
+
+
+ HKCU\Software\Lotus\123\99.0\DDE Preferences\* [*]
+ HKCU\Software\Lotus\123\99.0\Find Preferences\* [*]
+
+
+```
+
+## <detect>
+
+
+Although the <detect> element is still supported, we do not recommend using it because it may be deprecated in future versions of USMT. In that case, you would have to rewrite your scripts. Instead, we recommend that you use the [<detection>](#detection)**element.**
+
+You use the <detect> element to determine if the component is present on a system. If all child <detect> elements within a <detect> element resolve to TRUE, then the <detect> element resolves to TRUE. If any child <detect> elements resolve to FALSE, then their parent <detect> element resolves to FALSE. If there is no <detect> element section, then USMT will assume that the component is present.
+
+For each <detect> element there can be multiple child <condition> or <objectSet> elements, which will be logically joined by an OR operator. If at least one <condition> or <objectSet> element evaluates to TRUE, then the <detect> element evaluates to TRUE.
+
+- **Number of occurrences:** unlimited
+
+- **Parent elements:** <detects>, [<namedElements>](#namedelements)
+
+- **Required child elements:**[<condition>](#condition)
+
+- **Optional child elements:**[<objectSet>](#objectset)
+
+Syntax:
+
+<detect name="*ID*" context="User|System|UserAndSystem">
+
+</detect>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
name
+
Yes, when <detect> is a child to <namedElements>
+
No, when <detect> is a child to <detects>
+
When ID is specified, any child elements are not processed. Instead, any other <detect> elements with the same name that are declared within the <namedElements> element are processed.
+
+
+
context
+
No
+
(default = UserAndSystem)
+
Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
+
The largest possible scope is set by the component element. For example, if a <component> element has a context of User, and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though the <rules> element were not there.
+
+
User. Evaluates the variables for each user.
+
System. Evaluates the variables only once for the system.
+
UserAndSystem. Evaluates the variables for the entire operating system and each user.
+
+
+
+
+
+
+
+For examples, see the examples for [<detection>](#detection).
+
+## <detects>
+
+
+Although the <detects> element is still supported, we recommend that you do not use it because it may be deprecated in future versions of USMT, which would require you to rewrite your scripts. Instead, we recommend that you use the [<detection>](#detection) element if the parent element is <role> or <namedElements>, and we recommend that you use the <conditions> element if the parent element is <rules>. Using <detection> allows you to more clearly formulate complex Boolean statements.
+
+The <detects> element is a container for one or more <detect> elements. If all of the child <detect> elements within a <detects> element resolve to TRUE, then <detects> resolves to TRUE. If any of the child <detect> elements resolve to FALSE, then <detects> resolves to FALSE. If you do not want to write the <detects> elements within a component, then you can create the <detects> element under the <namedElements> element, and then refer to it. If there is no <detects> element section, then USMT will assume that the component is present. The results from each <detects> element are joined together by the OR operator to form the rule used to detect the parent element.
+
+Syntax:
+
+<detects name="*ID*" context="User|System|UserAndSystem">
+
+</detects>
+
+- **Number of occurrences:** Unlimited.
+
+- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements)
+
+- **Required child elements:** <detect>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
name
+
Yes, when <detects> is a child to <namedElements>
+
No, when <detects> is a child to <role> or <rules>
+
When ID is specified, no child <detect> elements are processed. Instead, any other <detects> elements with the same name that are declared within the <namedElements> element are processed.
+
+
+
context
+
No
+
(default = UserAndSystem)
+
Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
+
The largest possible scope is set by the <component element>. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though the <rules> element were not there.
+
+
User. Evaluates the variables for each user.
+
System. Evaluates the variables only once for the system.
+
UserAndSystem. Evaluates the variables for the entire operating system and each user.
+
+
The context parameter is ignored for <detects> elements that are inside <rules> elements.
+
+
+
+
+
+
+The following example is from the MigApp.xml file.
+
+``` xml
+
+
+ MigXmlHelper.DoesFileVersionMatch("%Lotus123InstPath%\123w.exe","ProductVersion","9.*")
+
+
+ MigXmlHelper.DoesFileVersionMatch("%SmartSuiteInstPath%\smartctr.exe","ProductVersion","99.*")
+
+
+```
+
+## <detection>
+
+
+The <detection> element is a container for one <conditions> element. The result of the child <condition> elements, located underneath the <conditions> element, determines the result of this element. For example, if all of the child <conditions> elements within the <detection> element resolve to TRUE, then the <detection> element resolves to TRUE. If any of the child <conditions> elements resolve to FALSE, then the <detection> element resolves to FALSE.
+
+In addition, the results from each <detection> section within the <role> element are joined together by the OR operator to form the detection rule of the parent element. That is, if one of the <detection> sections resolves to TRUE, then the <role> element will be processed. Otherwise, the <role> element will not be processed.
+
+Use the <detection> element under the <namedElements> element if you do not want to write it within a component. Then include a matching <detection> section under the <role> element to control whether the component is migrated. If there is not a <detection> section for a component, then USMT will assume that the component is present.
+
+- **Number of occurrences:** Unlimited.
+
+- **Parent elements:**[<role>](#role), [<namedElements>](#namedelements)
+
+- **Child elements:**[<conditions>](#conditions)
+
+Syntax:
+
+<detection name="*ID*" context="User|System|UserAndSystem">
+
+</detection>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
name
+
+
Yes, when <detection> is declared under <namedElements>
+
Optional, when declared under <role>
+
+
If declared, the content of the <detection> element is ignored and the content of the <detection> element with the same name that is declared in the <namedElements> element will be evaluated.
+
+
+
context
+
No, default = UserAndSystem
+
Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
+
+
User. Evaluates the component for each user.
+
System. Evaluates the component only once for the system.
+
UserAndSystem. Evaluates the component for the entire operating system and each user.
+
+
+
+
+
+
+
+For example:
+
+``` xml
+
+
+ MigXmlHelper.DoesObjectExist("Registry","HKCU\Software\Adobe\Photoshop\8.0")
+ MigXmlHelper.DoesFileVersionMatch("%PhotoshopSuite8Path%\Photoshop.exe","FileVersion","8.*")
+
+
+```
+
+and
+
+``` xml
+
+
+
+ MigXmlHelper.DoesFileVersionMatch("%QuickTime5Exe%","ProductVersion","QuickTime 5.*")
+ MigXmlHelper.DoesFileVersionMatch("%QuickTime5Exe%","ProductVersion","QuickTime 6.*")
+
+
+```
+
+## <displayName>
+
+
+The <displayName> element is a required field within each <component> element.
+
+- **Number of occurrences:** once for each component
+
+- **Parent elements:**[<component>](#component)
+
+- **Child elements:** none
+
+Syntax:
+
+<displayName \_locID="*ID*">*ComponentName*</displayName>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
locID
+
No
+
This parameter is for internal USMT use. Do not use this parameter.
+
+
+
ComponentName
+
Yes
+
The name for the component.
+
+
+
+
+
+
+For example:
+
+``` xml
+Command Prompt settings
+```
+
+## <environment>
+
+
+The <environment> element is a container for <variable> elements in which you can define variables to use in your .xml file. All environment variables defined this way will be private. That is, they will be available only for their child components and the component in which they were defined. For two example scenarios, see [Examples](#envex).
+
+- **Number of occurrences:** unlimited
+
+- **Parent elements:**[<role>](#role), [<component>](#component), [<namedElements>](#namedelements)
+
+- **Required child elements:**[<variable>](#variable)
+
+- **Optional child elements:**[conditions](#conditions)
+
+Syntax:
+
+<environment name="ID" context="User|System|UserAndSystem">
+
+</environment>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
name
+
Yes, when <environment> is a child of <namedElements>
+
No, when <environment> is a child of <role> or <component>
+
When declared as a child of the <role> or <component> elements, if ID is declared, USMT ignores the content of the <environment> element and the content of the <environment> element with the same name declared in the <namedElements> element is processed.
+
+
+
context
+
No
+
(default = UserAndSystem)
+
Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.
+
The largest possible scope is set by the <component> element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though <rules> were not there.
+
+
User. Evaluates the variables for each user.
+
System. Evaluates the variables only once for the system.
+
UserAndSystem. Evaluates the variables for the entire operating system and each user.
+
+
+
+
+
+
+
+##
+
+
+### Example scenario 1
+
+In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example:
+
+``` xml
+
+
+
+
+
+```
+
+Then you can use an include rule as follows. You can use any of the [<script> functions](#scriptfunctions) to perform similar tasks.
+
+``` xml
+
+
+ %INSTALLPATH%\ [*.xyz]
+
+
+```
+
+Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator ",") in the value of the registry Hklm\\software\\companyname\\application\\ \[Path\].
+
+``` xml
+
+
+
+
+
+ Hklm\software\companyname\application\ [Path]
+
+
+
+
+
+```
+
+### Example scenario 2:
+
+In this scenario, you want to migrate five files named File1.txt, File2.txt, and so on, from %SYSTEMDRIVE%\\data\\userdata\\dir1\\dir2\\. To do this you must have the following <include> rule in an .xml file:
+
+``` xml
+
+
+ %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File1.txt]
+ %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File2.txt]
+ %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File3.txt]
+ %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File4.txt]
+ %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File5.txt]
+
+
+```
+
+Instead of typing the path five times, you can create a variable for the location as follows:
+
+``` xml
+
+
+ %SYSTEMDRIVE%\data\userdata\dir1\dir2
+
+
+```
+
+Then, you can specify the variable in an <include> rule as follows:
+
+``` xml
+
+
+ %DATAPATH% [File1.txt]
+ %DATAPATH% [File2.txt]
+ %DATAPATH% [File3.txt]
+ %DATAPATH% [File4.txt]
+ %DATAPATH% [File5.txt]
+
+
+```
+
+## <exclude>
+
+
+The <exclude> element determines what objects will not be migrated, unless there is a more specific <include> element that migrates an object. If there is an <include> and <exclude> element for the same object, the object will be included. For each <exclude> element there can be multiple child <objectSet> elements.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Child elements:**[<objectSet>](#objectset)
+
+- **Helper functions:** You can use the following [<exclude> filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, NeverRestore, and SameRegContent.
+
+Syntax:
+
+<exclude filter="*ScriptInvocation*">
+
+</exclude>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
filter
+
No
+
(default = No)
+
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
+
The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
+
+
+
+
+
+
+For example, from the MigUser.xml file:
+
+``` xml
+
+
+ %CSIDL_MYMUSIC%\* [*]
+ %CSIDL_MYPICTURES%\* [*]
+ %CSIDL_MYVIDEO%\* [*]
+
+
+```
+
+## <excludeAttributes>
+
+
+You can use the <excludeAttributes> element to determine which parameters associated with an object will not be migrated. If there are conflicts between the <includeAttributes> and <excludeAttributes> elements, the most specific pattern determines the patterns that will not be migrated. If an object does not have an <includeAttributes> or <excludeAttributes> element, then all of its parameters will be migrated.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Child elements:**[<objectSet>](#objectset)
+
+Syntax:
+
+<excludeAttributes attributes="Security|TimeFields|Security,TimeFields">
+
+</excludeAttributes>
+
+
+
+
+
+
+
+
+
+
Parameter
+
Required?
+
Value
+
+
+
+
+
attributes
+
Yes
+
Specifies the attributes to be excluded. You can specify one of the following, or both separated by quotes; for example, "Security","TimeFields":
+
+
Security can be one of Owner, Group, DACL, or SACL.
+
TimeFields can be one of CreationTime, LastAccessTime and LastWrittenTime
+
+
+
+
+
+
+
+Example:
+
+``` xml
+
+
+
+ System Data
+
+
+
+
+
+ %SYSTEMDRIVE%\ [*.txt]
+
+
+
+
+
+ %SYSTEMDRIVE%\ [a*.txt]
+
+
+
+
+
+ %SYSTEMDRIVE%\ [aa.txt]
+
+
+
+
+
+ logoff
+
+
+
+
+
+
+ DOC
+ PPT
+ VXD
+ PST
+ CPP
+
+
+
+```
+
+## <extensions>
+
+
+The <extensions> element is a container for one or more <extension> elements.
+
+- **Number of occurrences:** zero or one
+
+- **Parent elements:**[<component>](#component)
+
+- **Required child elements:**[<extension>](#extension)
+
+Syntax:
+
+<extensions>
+
+</extensions>
+
+## <extension>
+
+
+You can use the <extension> element to specify documents of a specific extension.
+
+- **Number of occurrences:** unlimited
+
+- **Parent elements:**[<extensions>](#extensions)
+
+- **Child elements:** none
+
+Syntax:
+
+<extension>*FilenameExtension*</extension>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
FilenameExtension
+
Yes
+
A file name extension.
+
+
+
+
+
+
+For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the <component> element:
+
+``` xml
+
+ doc
+
+```
+
+is the same as specifying the following code below the <rules> element:
+
+``` xml
+
+
+
+
+
+```
+
+For another example of how to use the <extension> element, see the example for [<excludeAttributes>](#excludeattributes).
+
+## <externalProcess>
+
+
+You can use the <externalProcess> element to run a command line during the migration process. For example, you may want to run a command after the LoadState process completes.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Required child elements:**[<commandLine>](#commandline)
+
+Syntax:
+
+<externalProcess when="pre-scan|scan-success|post-scan|pre-apply|apply-success|post-apply">
+
+</externalProcess>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
when
+
Yes
+
Indicates when the command line should be run. This value can be one of the following:
+
+
pre-scan before the scanning process begins.
+
scan-success after the scanning process has finished successfully.
+
post-scan after the scanning process has finished, whether it was successful or not.
+
pre-apply before the apply process begins.
+
apply-success after the apply process has finished successfully.
+
post-apply after the apply process has finished, whether it was successful or not.
+
+
+
+
+
+
+
+For an example of how to use the <externalProcess> element, see the example for [<excludeAttributes>](#excludeattributes).
+
+## <icon>
+
+
+This is an internal USMT element. Do not use this element.
+
+## <include>
+
+
+The <include> element determines what to migrate, unless there is a more specific [<exclude>](#exclude) rule. You can specify a script to be more specific to extend the definition of what you want to collect. For each <include> element there can be multiple <objectSet> elements.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Required child element:**[<objectSet>](#objectset)
+
+- **Helper functions:** You can use the following [<include> filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, and NeverRestore.
+
+Syntax:
+
+<include filter="*ScriptInvocation*">
+
+</include>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
filter
+
No.
+
If this parameter is not specified, then all patterns that are inside the child <ObjectSet> element will be processed.
+
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
+
The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
+
+
+
+
+
+
+The following example is from the MigUser.xml file:
+
+``` xml
+
+ My Video
+
+ %CSIDL_MYVIDEO%
+
+
+
+
+ MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")
+
+
+
+
+
+ %CSIDL_MYVIDEO%\* [*]
+
+
+
+
+ %CSIDL_MYVIDEO% [desktop.ini]
+
+
+
+
+
+```
+
+### <include> and <exclude> filter functions
+
+The following functions return a Boolean value. You can use them to migrate certain objects based on when certain conditions are met.
+
+- **AnswerNo**
+
+ This filter always returns FALSE.
+
+ Syntax: AnswerNo ()
+
+- **CompareStringContent**
+
+ Syntax: CompareStringContent("*StringContent*","*CompareType*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
StringContent
+
Yes
+
The string to check against.
+
+
+
CompareType
+
Yes
+
A string. Use one of the following values:
+
+
Equal (case insensitive). The function returns TRUE if the string representation of the current object that is processed by the migration engine is identical to StringContent.
+
NULLor any other value. The function returns TRUE if the string representation of the current object that is processed by the migration engine does not match StringContent.
+
+
+
+
+
+
+
+- **IgnoreIrrelevantLinks**
+
+ This filter screens out the .lnk files that point to an object that is not valid on the destination computer. Note that the screening takes place on the destination computer, so all .lnk files will be saved to the store during ScanState. Then they will be screened out when you run the LoadState tool.
+
+ Syntax: IgnoreIrrelevantLinks ()
+
+ For example:
+
+ ``` xml
+
+
+ %CSIDL_COMMON_VIDEO%\* [*]
+
+
+ ```
+
+- **NeverRestore**
+
+ You can use this function to collect the specified objects from the source computer but then not migrate the objects to the destination computer. When run with the ScanState tool, this function evaluates to TRUE. When run with the LoadState tool, this function evaluates to FALSE. You may want to use this function when you want to check an object's value on the destination computer but do not intend to migrate the object to the destination.
+
+ Syntax: NeverRestore()
+
+ In the following example, HKCU\\Control Panel\\International \[Locale\] will be included in the store, but it will not be migrated to the destination computer:
+
+ ``` xml
+
+
+ HKCU\Control Panel\International [Locale]
+
+
+ ```
+
+## <includeAttributes>
+
+
+You can use the <includeAttributes> element to determine whether certain parameters associated with an object will be migrated along with the object itself. If there are conflicts between the <includeAttributes> and <excludeAttributes> elements, the most specific pattern will determine which parameters will be migrated. If an object does not have an <includeAttributes> or <excludeAttributes> element, then all of its parameters will be migrated.
+
+- **Number of occurrences:** unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Child elements:**[<objectSet>](#objectset)
+
+Syntax:
+
+<includeAttributes attributes="Security|TimeFields|Security,TimeFields">
+
+</includeAttributes>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
attributes
+
Yes
+
Specifies the attributes to be included with a migrated object. You can specify one of the following, or both separated by quotes; for example, "Security","TimeFields":
+
+
Security can be one of the following values:
+
+
Owner. The owner of the object (SID).
+
Group. The primary group for the object (SID).
+
DACL (discretionary access control list). An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.
+
SACL (system access control list). An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.
+
+
TimeFields can be one of the following:
+
+
CreationTime. Specifies when the file or directory was created.
+
LastAccessTime. Specifies when the file is last read from, written to, or, in the case of executable files, run.
+
LastWrittenTime. Specifies when the file is last written to, truncated, or overwritten.
+
+
+
+
+
+
+
+
+For an example of how to use the <includeAttributes> element, see the example for [<excludeAttributes>](#excludeattributes).
+
+## <library>
+
+
+This is an internal USMT element. Do not use this element.
+
+## <location>
+
+
+The <location> element defines the location of the <object> element.
+
+- **Number of occurrences:** once for each <object>
+
+- **Parent elements:**[<object>](#object)
+
+- **Child elements:**[<script>](#script)
+
+Syntax:
+
+<location type="*typeID*">*ObjectLocation*</location>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
type
+
Yes
+
typeID can be Registry or File.
+
+
+
ObjectLocation
+
Yes
+
The location of the object.
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+
+
+```
+
+## <locationModify>
+
+
+You can use the <locationModify> element to change the location and name of an object before it is migrated to the destination computer. The <locationModify> element is processed only when the LoadState tool is run on the destination computer. In other words, this element is ignored by the ScanState tool. The <locationModify> element will create the appropriate folder on the destination computer if it does not already exist.
+
+**Number of occurrences:** Unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Required child element:**[<objectSet>](#objectset)
+
+- **Helper functions:** You can use the following [<locationModify> functions](#locationmodifyfunctions) with this element: ExactMove, RelativeMove, and Move.
+
+Syntax:
+
+<locationModify script="*ScriptInvocation*">
+
+</locationModify>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
script
+
Yes
+
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
+
The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+ %CSIDL_APPDATA%\Microsoft\Office\ [Access10.pip]
+
+
+```
+
+### <locationModify> functions
+
+The following functions change the location of objects as they are migrated when using the <locationModify> element. These functions are called for every object that the parent <ObjectSet> element is enumerating. The <locationModify> element will create the appropriate folder on the destination computer if it does not already exist.
+
+- **ExactMove**
+
+ The ExactMove function moves all of the objects that are matched by the parent <ObjectSet> element into the given *ObjectEncodedLocation*. You can use this function when you want to move a single file to a different location on the destination computer. If the destination location is a node, all of the matching source objects will be written to the node without any subdirectories. If the destination location is a leaf, the migration engine will migrate all of the matching source objects to the same location. If a collision occurs, the normal collision algorithms will apply.
+
+ Syntax: ExactMove(*ObjectEncodedLocation*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
ObjectEncodedLocation
+
Yes
+
The destination location for all of the source objects.
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+ HKCU\Keyboard Layout\Toggle []
+
+
+```
+~~~
+
+- **Move**
+
+ The Move function moves objects to a different location on the destination computer. In addition, this function creates subdirectories that were above the longest CSIDL in the source object name.
+
+ Syntax: Move(*DestinationRoot*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
DestinationRoot
+
Yes
+
The location where the source objects will be moved. If needed, this function will create any subdirectories that were above the longest CSIDL in the source object name.
+
+
+
+
+
+
+- **RelativeMove**
+
+ You can use the RelativeMove function to collect and move data. Note that you can use environment variables in source and destination roots, but they may be defined differently on the source and destination computers.
+
+ Syntax: RelativeMove(*SourceRoot*,*DestinationRoot*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
SourceRoot
+
Yes
+
The location from where the objects will be moved. Any source objects that are enumerated by the parent <ObjectSet> element that are not in this location will not be moved.
+
+
+
DestinationRoot
+
Yes
+
The location where the source objects will be moved to on the destination computer. If needed, this function will create any subdirectories that were above SourceRoot.
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+ %CSIDL_COMMON_FAVORITES%\* [*]
+
+
+
+
+ %CSIDL_COMMON_FAVORITES%\* [*]
+
+
+```
+~~~
+
+## <\_locDefinition>
+
+
+This is an internal USMT element. Do not use this element.
+
+## <manufacturer>
+
+
+The <manufacturer> element defines the manufacturer for the component, but does not affect the migration.
+
+- **Number of occurrences:** zero or one
+
+- **Parent elements:**[<component>](#component)
+
+- **Child elements:** none
+
+Syntax:
+
+<manufacturer>*Name*</manufacturer>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
Name
+
Yes
+
The name of the manufacturer for the component.
+
+
+
+
+
+
+## <merge>
+
+
+The <merge> element determines what will happen when a collision occurs. A collision is when an object that is migrated is already present on the destination computer. If you do not specify this element, the default behavior for the registry is for the source object to overwrite the destination object. The default behavior for files is for the source file to be renamed to "OriginalFileName(1).OriginalExtension". This element specifies only what should be done when a collision occurs. It does not include objects. Therefore, for your objects to migrate, you must specify <include> rules along with the <merge> element. When an object is processed and a collision is detected, USMT will select the most specific merge rule and apply it to resolve the conflict. For example, if you have a <merge> rule C:\\\* \[\*\] set to <sourcePriority> and a <merge> rule C:\\subfolder\\\* \[\*\] set to <destinationPriority>, then USMT would use the <destinationPriority> rule because it is the more specific.
+
+For an example of this element, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Required child element:**[<objectSet>](#objectset)
+
+- **Helper functions:** You can use the following [<merge> functions](#mergefunctions) with this element: SourcePriority, DestinationPriority, FindFilePlaceByPattern, LeafPattern, NewestVersion, HigherValue(), and LowerValue().
+
+Syntax:
+
+<merge script="*ScriptInvocation*">
+
+</merge>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
script
+
Yes
+
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
+
The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
+
+
+
+
+
+
+The following example is from the MigUser.xml file:
+
+``` xml
+
+
+
+ %CSIDL_MYVIDEO%\* [*]
+
+
+
+
+ %CSIDL_MYVIDEO% [desktop.ini]
+
+
+
+```
+
+### <merge> functions
+
+These functions control how collisions are resolved.
+
+- **DestinationPriority**
+
+ Specifies to keep the object that is on the destination computer and not migrate the object from the source computer.
+
+ For example:
+
+ ``` xml
+
+
+ HKCU\Software\Microsoft\Office\9.0\PhotoDraw\ [MyPictures]
+ HKCU\Software\Microsoft\Office\9.0\PhotoDraw\Settings\ [PicturesPath]
+ HKCU\Software\Microsoft\Office\9.0\PhotoDraw\Settings\ [AdditionalPlugInPath]
+
+
+ ```
+
+- **FindFilePlaceByPattern**
+
+ The FindFilePlaceByPattern function saves files with an incrementing counter when a collision occurs. It is a string that contains one of each constructs: <F>, <E>, <N> in any order.
+
+ Syntax: FindFilePlaceByPattern(*FilePattern*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
FilePattern
+
Yes
+
+
<F> will be replaced by the original file name.
+
<N> will be replaced by an incrementing counter until there is no collision with the objects on the destination computer.
+
<E> will be replaced by the original file name extension.
+
+
For example, <F> (<N>).<E> will change the source file MyDocument.doc into MyDocument (1).doc on the destination computer.
+
+
+
+
+
+
+- **NewestVersion**
+
+ The NewestVersion function will resolve conflicts on the destination computer based on the version of the file.
+
+ Syntax: NewestVersion(*VersionTag*)
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
VersionTag
+
Yes
+
The version field that will be checked. This can be "FileVersion" or "ProductVersion". The file with the highest VersionTag version determines which conflicts will be resolved based on the file's version. For example, if Myfile.txt contains FileVersion 1 and the same file on the destination computer contains FileVersion 2, the file on destination will remain.
+
+
+
+
+
+
+- **HigherValue()**
+
+ You can use this function for merging registry values. The registry values will be evaluated as numeric values, and the one with the higher value will determine which registry values will be merged.
+
+- **LowerValue()**
+
+ You can use this function for merging registry values. The registry values will be evaluated as numeric values and the one with the lower value will determine which registry values will be merged.
+
+- **SourcePriority**
+
+ Specifies to migrate the object from the source computer, and to delete the object that is on the destination computer.
+
+ For example:
+
+ ``` xml
+
+
+ %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Publisher [UpgradeVersion]
+ %HklmWowSoftware%\Microsoft\Office\11.0\Common\Migration\Publisher [UpgradeVersion]
+ %HklmWowSoftware%\Microsoft\Office\10.0\Common\Migration\Publisher [UpgradeVersion]
+
+
+ ```
+
+## <migration>
+
+
+The <migration> element is the single root element of a migration .xml file and is required. Each .xml file must have a unique migration urlid. The urlid of each file that you specify on the command line must be unique. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following at the beginning of each file: <CustomFileName> is the name of the file; for example, "CustomApp".
+
+- **Number of occurrences:** one
+
+- **Parent elements:** none
+
+- **Required child elements:**[<component>](#component)
+
+- **Optional child elements:**[<library>](#library), [<namedElements>](#namedelements)
+
+Syntax:
+
+<migration urlid="UrlID/Name">
+
+</migration>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
urlid
+
Yes
+
UrlID is a string identifier that uniquely identifies this .xml file. This parameter must be a no-colon-name as defined by the XML Namespaces specification. Each migration .xml file must have a unique urlid. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. For more information about XML Namespaces, see Use XML Namespaces.
+
+
+
Name
+
No
+
Although not required, it is good practice to use the name of the .xml file.
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+```
+
+## MigXMLHelper.FileProperties
+
+
+This filter helper function can be used to filter the migration of files based on file size and date attributes.
+
+
Size: A numeral with B, KB, MB, or GB at the end. “5GB”, “1KB-1MB”
+
+
+
+
+
+
+``` xml
+
+File_size
+
+
+
+
+
+ %SYSTEMDRIVE%\DOCS\* [*]
+
+
+
+
+
+```
+
+## <namedElements>
+
+
+You can use the **<namedElements>** element to define named elements. You can use these elements in any component throughout your .xml file. For an example of how to use this element, see the MigApp.xml file.
+
+Syntax:
+
+<namedElements>
+
+</namedElements>
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<migration>](#migration)
+
+- **Child elements:**[<environment>](#bkmk-environment), [<rules>](#rules), [<conditions>](#conditions), [<detection>](#detection), <detects>, <detect>
+
+For an example of this element, see the MigApp.xml file.
+
+## <object>
+
+
+The <object> element represents a file or registry key.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<addObjects>](#addobjects)
+
+- **Required child elements:**[<location>](#location), [<attributes>](#attribute)
+
+- **Optional child elements:**[<bytes>](#bytes)
+
+Syntax:
+
+<object>
+
+</object>
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+
+
+```
+
+## <objectSet>
+
+
+The <objectSet> element contains a list of object patterns ; for example, file paths, registry locations, and so on. Any child <conditions> elements will be evaluated first. If all child <conditions> elements return FALSE, the <objectSet> element will evaluate to an empty set. For each parent element, there can be only multiple <objectSet> elements.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<variable>](#variable), [<content>](#content), [<include>](#include), [<exclude>](#exclude), [<merge>](#merge), [<contentModify>](#contentmodify), [<locationModify>](#locationmodify), [<destinationCleanup>](#destinationcleanup), [<includeAttributes>](#includeattributes), [<excludeAttributes>](#excludeattributes), [<unconditionalExclude>](#unconditionalexclude), <detect>
+
+- **Required child elements:** either [<script>](#script) or [<pattern>](#pattern)
+
+- **Optional child elements:**[<content>](#content), [conditions](#conditions), <condition>
+
+Syntax:
+
+<objectSet>
+
+</objectSet>
+
+The following example is from the MigUser.xml file:
+
+``` xml
+
+ My Music
+
+ %CSIDL_MYMUSIC%
+
+
+
+
+ MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")
+
+
+
+
+
+ %CSIDL_MYMUSIC%\* [*]
+
+
+
+
+ %CSIDL_MYMUSIC%\ [desktop.ini]
+
+
+
+
+
+```
+
+## <path>
+
+
+This is an internal USMT element. Do not use this element.
+
+## <paths>
+
+
+This is an internal USMT element. Do not use this element.
+
+## <pattern>
+
+
+You can use this element to specify multiple objects. You can specify multiple <pattern> elements for each <objectSet> element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with <script> instead. GenerateDrivePatterns is basically the same as a <pattern> rule, without the drive letter specification. For example, the following two lines of code are similar:
+
+``` xml
+C:\Folder\* [Sample.doc]
+
+```
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<objectSet>](#objectset)
+
+- **Child elements:** none but *Path* \[*object*\] must be valid.
+
+Syntax:
+
+<pattern type="*typeID*">*Path* \[*object*\]</pattern>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
type
+
Yes
+
typeID can be Registry, File, or Ini. If typeId is Ini, then you cannot have a space between Path and object. For example, the following is correct when type="Ini":
A valid registry or file path pattern, followed by at least one space, followed by brackets [] that contain the object to be migrated.
+
+
Path can contain the asterisk () wildcard character or can be an Recognized Environment Variables. You cannot use the question mark as a wildcard character.You can use HKCU and HKLM to refer to HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE respectively.
+
Object can contain the asterisk () wildcard character. However, you cannot use the question mark as a wildcard character. For example:
+
C:\Folder\ [] enumerates all files in C:<em>Path but no subfolders of C:\Folder.
+
C:\Folder* [] enumerates all files and subfolders of C:\Folder.
+
C:\Folder\ [*.mp3] enumerates all .mp3 files in C:\Folder.
+
C:\Folder\ [Sample.doc] enumerates only the Sample.doc file located in C:\Folder.
+
+Note
If you are migrating a file that has a square bracket character ([ or ]) in the file name, you must insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", you must specify <pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.
+
+
+
+
+
+
+
+
+
+
+
+For example:
+
+- To migrate a single registry key:
+
+ ``` xml
+ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]
+ ```
+
+- To migrate the EngineeringDrafts folder and any subfolders from the C: drive:
+
+ ``` xml
+ C:\EngineeringDrafts\* [*]
+ ```
+
+- To migrate only the EngineeringDrafts folder, excluding any subfolders, from the C: drive:
+
+ [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+
+- To migrate the Sample.doc file from C:\\EngineeringDrafts:
+
+ ``` xml
+ C:\EngineeringDrafts\ [Sample.doc]
+ ```
+
+- To migrate the Sample.doc file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated.
+
+ ``` xml
+ C:\* [Sample.doc]
+ ```
+
+- For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), [Include Files and Settings](usmt-include-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
+
+## <processing>
+
+
+You can use this element to run a script during a specific point within the migration process. Return values are not expected from the scripts that you specify, and if there are return values, they will be ignored.
+
+- **Number of occurrences:** unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Required child element:**[<script>](#script)
+
+Syntax:
+
+<processing when="pre-scan|scan-success|post-scan|pre-apply|apply-success|post-apply">
+
+</processing>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
when
+
Yes
+
Indicates when the script should be run. This value can be one of the following:
+
+
pre-scan means before the scanning process begins.
+
scan-success means after the scanning process has finished successfully.
+
post-scan means after the scanning process has finished, whether it was successful or not.
+
pre-apply means before the apply process begins.
+
apply-success means after the apply process has finished successfully.
+
post-apply means after the apply process has finished, whether it was successful or not.
+
+
+
+
+
+
+
+## <plugin>
+
+
+This is an internal USMT element. Do not use this element.
+
+## <role>
+
+
+The <role> element is required in a custom .xml file. By specifying the <role> element, you can create a concrete component. The component will be defined by the parameters specified at the <component> level, and with the role that you specify here.
+
+- **Number of occurrences:** Each <component> can have one, two or three child <role> elements.
+
+- **Parent elements:**[<component>](#component), [<role>](#role)
+
+- **Required child elements:**[<rules>](#rules)
+
+- **Optional child elements:**[<environment>](#bkmk-environment), [<detection>](#detection), [<component>](#component), [<role>](#role), <detects>, <plugin>,
+
+Syntax:
+
+<role role="Container|Binaries|Settings|Data">
+
+</role>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
role
+
Yes
+
Defines the role for the component. Role can be one of:
+
+
Container
+
Binaries
+
Settings
+
Data
+
+
You can either:
+
+
Specify up to three <role> elements within a <component> — one “Binaries” role element, one “Settings” role element and one “Data” role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter.
+
Specify one “Container” <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example:
+
+
+
+The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file:
+
+``` xml
+
+ Start Menu
+
+ %CSIDL_STARTMENU%
+
+
+
+
+ MigXmlHelper.DoesObjectExist("File","%CSIDL_STARTMENU%")
+
+
+
+
+
+ %CSIDL_STARTMENU%\* [*]
+
+
+
+
+ %CSIDL_STARTMENU% [desktop.ini]
+ %CSIDL_STARTMENU%\* [*]
+
+
+
+
+
+```
+
+## <rules>
+
+
+The <rules> element is required in a custom .xml file. This element contains rules that will run during the migration if the parent <component> element is selected, unless the child <conditions> element, if present, evaluates to FALSE. For each <rules> element there can be multiple child <rules> elements.
+
+- **Number of occurrences:** unlimited
+
+- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements)
+
+- **Required child elements:**[<include>](#include)
+
+- **Optional child elements:**[<rules>](#rules), [<exclude>](#exclude), [<unconditionalExclude>](#unconditionalexclude),[<merge>](#merge), [<contentModify>](#contentmodify), [<locationModify>](#locationmodify), [<destinationCleanup>](#destinationcleanup), [<addObjects>](#addobjects), [<externalProcess>](#externalprocess), [<processing>](#processing), [<includeAttributes>](#includeattributes), [<excludeAttributes>](#excludeattributes), [conditions](#conditions), <detects>
+
+Syntax:
+
+<rules name="*ID*" context="User|System|UserAndSystem">
+
+</rules>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
name
+
Yes, when <rules> is a child to <namedElements>
+
No, when <rules> is a child to any other element
+
When ID is specified, any child elements are not processed. Instead, any other <rules> elements with the same name that are declared within <namedElements> are processed.
+
+
+
context
+
No
+
(default = UserAndSystem)
+
Defines the scope of this parameter — whether to process this component in the context of the specific user, across the entire operating system, or both.
+
The largest possible scope is set by the component element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it has a context of User. If <rules> had a context of System, it would act as though <rules> was not there.
+
+
User. Evaluates the variables for each user.
+
System. Evaluates the variables only once for the system.
+
UserAndSystem. Evaluates the variables for the entire operating system and each user.
+
+
+
+
+
+
+
+The following example is from the MigUser.xml file:
+
+``` xml
+
+ My Music
+
+ %CSIDL_MYMUSIC%
+
+
+
+
+ MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")
+
+
+
+
+
+ %CSIDL_MYMUSIC%\* [*]
+
+
+
+
+ %CSIDL_MYMUSIC%\ [desktop.ini]
+
+
+
+
+
+```
+
+## <script>
+
+
+The return value that is required by <script> depends on the parent element.
+
+**Number of occurrences:** Once for [<variable>](#variable), unlimited for [<objectSet>](#objectset) and [<processing>](#processing)
+
+**Parent elements:**[<objectSet>](#objectset), [<variable>](#variable), [<processing>](#processing)
+
+**Child elements:** none
+
+**Syntax and helper functions:**
+
+- General Syntax: <script>*ScriptWithArguments*</script>
+
+- You can use [GetStringContent](#scriptfunctions) when <script> is within <variable>.
+
+ Syntax: <script>MigXmlHelper.GetStringContent("*ObjectType*","*EncodedLocationPattern*", "*ExpandContent*")</script>
+
+ Example: ``
+
+- You can use [GenerateUserPatterns](#scriptfunctions) when <script> is within <objectSet>.
+
+ Syntax: <script>MigXmlHelper.GenerateUserPatterns("*ObjectType*","*EncodedLocationPattern*","*ProcessCurrentUser*")</script>
+
+ Example: ``
+
+- You can use [GenerateDrivePatterns](#scriptfunctions) when <script> is within <objectSet>.
+
+ Syntax: <script>MigXmlHelper.GenerateDrivePatterns("*PatternSegment*","*DriveType*")</script>
+
+ Example: ``
+
+- You can use the [Simple executing scripts](#scriptfunctions) with <script> elements that are within <processing> elements: AskForLogoff, ConvertToShortFileName, KillExplorer, RemoveEmptyDirectories, RestartExplorer, RegisterFonts, StartService, StopService, SyncSCM.
+
+ Syntax: <script>MigXmlHelper.*ExecutingScript*</script>
+
+ Example: ``
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
ScriptWithArguments
+
Yes
+
A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, MyScripts.AScript ("Arg1","Arg2").
+
The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.
+
The return value that is required by <script> depends on the parent element.
+
+
When used within <variable>, the return value must be a string.
+
When used within <objectSet>, the return value must be a two-dimensional array of strings.
+
When used within <location>, the return value must be a valid location that aligns with the type attribute of <location>. For example, if <location type="File">, the child script element, if specified, must be a valid file location.
+
+Note
If you are migrating a file that has a bracket character ([ or ]) in the file name, insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", specify <pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.
+
+
+
+
+
+
+
+
+
+
+
+Examples:
+
+To migrate the Sample.doc file from any drive on the source computer, use <script> as follows. If multiple files exist with the same name, all such files will get migrated.
+
+``` xml
+
+```
+
+For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
+
+### <script> functions
+
+You can use the following functions with the <script> element
+
+- [String and pattern generating functions](#stringgeneratingfunctions)
+
+- [Simple executing scripts](#simple)
+
+### String and pattern generating functions
+
+These functions return either a string or a pattern.
+
+- **GetStringContent**
+
+ You can use GetStringContent with <script> elements that are within <variable> elements. If possible, this function returns the string representation of the given object. Otherwise, it returns NULL. For file objects this function always returns NULL.
+
+ Syntax: GetStringContent("*ObjectType*","*EncodedLocationPattern*", "*ExpandContent*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
ObjectType
+
Yes
+
The type of object. Can be Registry or Ini (for an .ini file).
+
+
+
EncodedLocationPattern
+
Yes
+
+
If type of object is Registry, EncodedLocationPattern must be a valid registry path. For example, HKLM\SOFTWARE\MyKey[].
+
If the type of object is Ini, then EncodedLocationPattern must be in the following format:
+
IniFilePath|SectionName[SettingName]
+
+
+
+
ExpandContent
+
No (default=TRUE)
+
Can be TRUE or FALSE. If FALSE, then the given location will not be expanded before it is returned.
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+
+```
+~~~
+
+- **GenerateDrivePatterns**
+
+ The GenerateDrivePatterns function will iterate all of the available drives and select the ones that match the requested drive type. It will then concatenate the selected drives with the end part of *PatternSegment* to form a full encoded file pattern. For example, if *PatternSegment* is `Path [file.txt]` and DriveType is `Fixed`, then the function will generate `C:\Path [file.txt]`, and other patterns if there are fixed drives other than C:. You cannot specify environment variables with this function. You can use GenerateDrivePatterns with <script> elements that are within [<objectSet>](#objectset) that are within <include>/<exclude>.
+
+ Syntax: GenerateDrivePatterns("*PatternSegment*","*DriveType*")
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
PatternSegment
+
Yes
+
The suffix of an encoded pattern. It will be concatenated with a drive specification, such as "c:", to form a complete encoded file pattern. For example, "* [*.doc]". PatternSegment cannot be an environment variable.
+
+
+
DriveType
+
Yes
+
The drive type for which the patterns are to be generated. You can specify one of:
+
+
Fixed
+
CDROM
+
Removable
+
Remote
+
+
+
+
+
+
+
+~~~
+See the last component in the MigUser.xml file for an example of this element.
+~~~
+
+- **GenerateUserPatterns**
+
+ The function will iterate through all users that are being migrated, excluding the currently processed user if <ProcessCurrentUser> is FALSE, and will expand the specified pattern in the context of each user. For example, if users A, B and C have profiles in C:\\Documents and Settings), by calling `GenerateUserPattens('File','%userprofile% [*.doc]','TRUE')`, the helper function will generate the following three patterns:
+
+ - "C:\\Documents and Settings\\A\\\* \[\*.doc\]"
+
+ - "C:\\Documents and Settings\\B\\\* \[\*.doc\]"
+
+ - "C:\\Documents and Settings\\C\\\* \[\*.doc\]"
+
+ Syntax:GenerateUserPatterns("*ObjectType*","*EncodedLocationPattern*","*ProcessCurrentUser*")
+
+
Can be TRUE or FALSE. Indicates if the patterns should be generated for the current user.
+
+
+
+
+
+
+~~~
+**Example:**
+
+If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X’s profile.
+
+The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
+
+``` xml
+
+
+
+
+
+
+
+
+ %ProfilesFolder%\* [*.doc]
+
+
+
+
+
+
+ %ProfilesFolder%\* [*.doc]
+
+
+
+
+
+
+
+
+```
+~~~
+
+### MigXmlHelper.GenerateDocPatterns
+
+This helper function invokes the document finder to scan the system for all files that can be migrated. It can be invoked in either System or User context to focus the scan.
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
ScanProgramFiles
+
No (default = FALSE)
+
Can be TRUE or FALSE. The ScanProgramFiles parameter determines whether or not the document finder scans the Program Files directory to gather registered file extensions for known applications. For example, when set to TRUE it will discover and migrate .jpg files under the Photoshop directory, if .jpg is a file extension registered to Photoshop.
+
+
+
IncludePatterns
+
No (default = TRUE)
+
Can be TRUE or FALSE. TRUE will generate include patterns and can be added under the <include> element. FALSE will generate exclude patterns and can be added under the <exclude> element.
+
+
+
SystemDrive
+
No (default = FALSE)
+
Can be TRUE or FALSE. If TRUE, restricts all patterns to the system drive.
+
+
+
+
+
+
+``` xml
+
+
+ MigDocUser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+### Simple executing scripts
+
+The following scripts have no return value. You can use the following errors with <script> elements that are within <processing> elements
+
+- **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example:
+
+ ``` xml
+
+
+
+ ```
+
+- **ConvertToShortFileName(RegistryEncodedLocation)**. If *RegistryEncodedLocation* is the full path of an existing file, this function will convert the file to its short file name and then it will update the registry value.
+
+- **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example:
+
+ ``` xml
+
+
+
+ ```
+
+- **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example:
+
+ ``` xml
+
+
+
+ ```
+
+- **RemoveEmptyDirectories (DirectoryEncodedPattern).** Deletes any empty directories that match *DirectoryEncodedPattern* on the destination computer.
+
+- **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example:
+
+ ``` xml
+
+
+
+ ```
+
+- **StartService (ServiceName, OptionalParam1, OptionalParam2,…).** Starts the service identified by *ServiceName. ServiceName* is the subkey in HKLM\\System\\CurrentControlSet\\Services that holds the data for the given service. The optional parameters, if any, will be passed to the StartService API. For more information, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=267898).
+
+- **StopService (ServiceName)**. Stops the service that is identified by *ServiceName. ServiceName* is the subkey in HKLM\\System\\CurrentControlSet\\Services that holds the data for the given service.
+
+- **SyncSCM(ServiceShortName).** Reads the Start type value from the registry (HKLM\\System\\CurrentControlSet\\Services\\ServiceShortName \[Start\]) after it is changed by the migration engine, and then synchronizes Service Control Manager (SCM) with the new value.
+
+## <text>
+
+
+You can use the <text> element to set a value for any environment variables that are inside one of the migration .xml files.
+
+- **Number of occurrences:** Once in each [<variable>](#variable) element.
+
+- **Parent elements:**[<variable>](#variable)
+
+- **Child elements:** None.
+
+Syntax:
+
+<text>*NormalText*</text>
+
+
+
+
+
+
+
+
+
Setting
+
Value
+
+
+
+
+
NormalText
+
This is interpreted as normal text.
+
+
+
+
+
+
+For example:
+
+``` xml
+
+ %CSIDL_COMMON_APPDATA%\QuickTime
+
+```
+
+## <unconditionalExclude>
+
+
+The <unconditionalExclude> element excludes the specified files and registry values from the migration, regardless of the other include rules in any of the migration .xml files or in the Config.xml file. The objects declared here will not be migrated because this element takes precedence over all other rules. For example, even if there are explicit <include> rules to include .mp3 files, if you specify to exclude them with this option, then they will not be migrated.
+
+Use this element if you want to exclude all .mp3 files from the source computer. Or, if you are backing up C:\\UserData using another method, you can exclude the entire folder from the migration. Use this element with caution, however, because if an application needs a file that you exclude, the application may not function properly on the destination computer.
+
+- **Number of occurrences:** Unlimited.
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Child elements:**[<objectSet>](#objectset)
+
+Syntax:
+
+<unconditionalExclude></unconditionalExclude>
+
+The following .xml file excludes all .mp3 files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md).
+
+``` xml
+
+
+ Test
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## <variable>
+
+
+The <variable> element is required in an <environment> element. For each <variable> element there must be one <objectSet>, <script>, or <text> element. The content of the <variable> element assigns a text value to the environment variable. This element has the following three options:
+
+1. If the <variable> element contains a <text> element, then the value of the variable element will be the value of the <text> element.
+
+2. If the <variable> element contains a <script> element and the invocation of the script produces a non-null string, then the value of the <variable> element will be the result of the script invocation.
+
+3. If the <variable> element contains an <objectSet> element and the evaluation of the <objectSet> element produces at least one object pattern, then the value of the first object to match the resulting object pattern will be the value of the variable element.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<environment>](#bkmk-environment)
+
+- **Required child elements:** either [<text>](#text), or [<script>](#script), or [<objectSet>](#objectset)
+
+Syntax:
+
+<variable name="*ID*" remap=TRUE|FALSE>
+
+</variable>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
name
+
Yes
+
ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component’s name to avoid namespace collisions. For example, if your component’s name is MyComponent, and you want a variable that is your component’s install path, you could specify MyComponent.InstallPath.
+
+
+
remap
+
No, default = FALSE
+
Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable’s value are automatically moved to where the environment variable points on the destination computer.
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+ HKLM\Software
+
+
+
+
+
+```
+
+## <version>
+
+
+The <version> element defines the version for the component, but does not affect the migration.
+
+- **Number of occurrences:** zero or one
+
+- **Parent elements:**[<component>](#component)
+
+- **Child elements:** none
+
+Syntax:
+
+<version>*ComponentVersion*</version>
+
+
+
+
+
+
+
+
+
+
Setting
+
Required?
+
Value
+
+
+
+
+
ComponentVersion
+
Yes
+
The version of the component, which can contain patterns.
+
+
+
+
+
+
+For example:
+
+``` xml
+4.*
+```
+
+## <windowsObjects>
+
+
+The <windowsObjects> element is for USMT internal use only. Do not use this element.
+
+## Appendix
+
+
+### Specifying locations
+
+- **Specifying encoded locations**. The encoded location used in all of the helper functions is an unambiguous string representation for the name of an object. It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
+
+ For example, specify the file C:\\Windows\\Notepad.exe like this: `c:\Windows[Notepad.exe]`. Similarly, specify the directory C:\\Windows\\System32 like this: `c:\Windows\System32`. (Notice the absence of the \[\] construct.)
+
+ Representing the registry is very similar. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key will be `HKLM\SOFTWARE\MyKey[]`.
+
+- **Specifying location patterns**. You specify a location pattern in a way that is similar to how you specify an actual location. The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
+
+ For example, the pattern `c:\Windows\*` will match the Windows directory and all subdirectories. But it will not match any of the files in those directories. To match the files as well, you must specify `c:\Windows\*[*]`.
+
+### Internal USMT functions
+
+The following functions are for internal USMT use only. Do not use them in an .xml file.
+
+- AntiAlias
+
+- ConvertScreenSaver
+
+- ConvertShowIEOnDesktop
+
+- ConvertToOfficeLangID
+
+- MigrateActiveDesktop
+
+- MigrateAppearanceUPM
+
+- MigrateDisplayCS
+
+- MigrateDisplaySS
+
+- MigrateIEAutoSearch
+
+- MigrateMouseUPM
+
+- MigrateSoundSysTray
+
+- MigrateTaskBarSS
+
+- SetPstPathInMapiStruc
+
+### Valid version tags
+
+You can use the following version tags with various helper functions:
+
+- “CompanyName”
+
+- “FileDescription”
+
+- “FileVersion”
+
+- “InternalName”
+
+- “LegalCopyright”
+
+- “OriginalFilename”
+
+- “ProductName”
+
+- “ProductVersion”
+
+The following version tags contain values that can be compared:
+
+- “FileVersion”
+
+- “ProductVersion”
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index 5038bb98be..aeae8b54ae 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -1,49 +1,50 @@
----
-title: XML File Requirements (Windows 10)
-description: XML File Requirements
-ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# XML File Requirements
-
-
-When creating custom .xml files, note the following requirements:
-
-- **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file:
-
- ``` syntax
-
- ```
-
-- **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file:
-
- ``` syntax
-
-
- ```
-
-- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax:
-
- ``` syntax
- My Application
- ```
-
-For examples of custom .xml files, see [Custom XML Examples](usmt-custom-xml-examples.md).
-
-
-
-
-
-
-
-
-
+---
+title: XML File Requirements (Windows 10)
+description: XML File Requirements
+ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# XML File Requirements
+
+
+When creating custom .xml files, note the following requirements:
+
+- **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file:
+
+ ``` xml
+
+ ```
+
+- **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file:
+
+ ``` xml
+
+
+ ```
+
+- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax:
+
+ ``` xml
+ My Application
+ ```
+
+For examples of custom .xml files, see [Custom XML Examples](usmt-custom-xml-examples.md).
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 14fc64361b..3c52c27790 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -1,170 +1,171 @@
----
-title: Scenario 2 Proxy Activation (Windows 10)
-description: Scenario 2 Proxy Activation
-ms.assetid: ed5a8a56-d9aa-4895-918f-dd1898cb2c1a
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Scenario 2: Proxy Activation
-
-In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario:
-
-
-
-## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab
-
-1. Install VAMT on a host computer in the isolated lab workgroup. This computer can be running Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, or Windows Server® 2012.
-2. Click the VAMT icon in the **Start** menu to open VAMT.
-
-## Step 2: Configure the Windows Management Instrumentation Firewall Exception on Target Computers
-
-- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
-
- **Note**
- To retrieve the license status on the selected computers, VAMT must have administrative permissions on the remote computers and WMI must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
-
-## Step 3: Connect to a VAMT Database
-
-1. If the host computer in the isolated lab workgroup is not already connected to the database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database that contains the computers in the workgroup.
-2. Click **Connect**.
-3. If you are already connected to a database, in the center pane VAMT displays an inventory of the products and product keys, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to the Server** to open the **Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data.](manage-vamt-data.md)
-
-## Step 4: Discover Products
-
-1. In the left-side pane, in the **Products** node, click the product that you want to activate.
-2. To open the **Discover Products** dialog box, click **Discover products** in the right-side pane.
-3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query:
- - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
- - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that both IPv4 and IPv6addressing are supported.
- - To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a".
- - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks.
-4. Click **Search**.
-
- The **Finding Computers** window appears and displays the search progress as the computers are located.
-
-When the search is complete, the products that VAMT discovers appear in the list view in the center pane.
-
-## Step 5: Sort and Filter the List of Computers
-
-You can sort the list of products so that it is easier to find the computers that require product keys to be activated:
-
-1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**.
-2. To sort the list further, you can click one of the column headings to sort by that column.
-3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane.
-
-## Step 6: Collect Status Information from the Computers in the Isolated Lab
-
-To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods:
-- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key.
-- To select computers which are not listed consecutively, hold down the **Ctrl** ley and select each computer for which you want to collect the status information.
- **To collect status information from the selected computers**
-- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**.
-- VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane.
-
- **Note**
- If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
-
-## Step 7: Add Product Keys
-
-1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
-2. In the **Add Product Keys** dialog box, you can select from one of the following methods to add product keys:
- - To add a single product key, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add key(s)**.
- - To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
-
- The keys that you have added appear in the **Product Keys** list view in the center pane.
-
-## Step 8: Install the Product Keys on the Isolated Lab Computers
-
-1. In the left-side pane, in the **Products** node click the product that you want to install keys onto.
-2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and Filter the List of Computers](#step-5-sort-and-filter-the-list-of-computers).
-3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
-4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time.
-6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
- The same status appears under the **Status of Last Action** column in the product list view in the center pane.
-
- **Note**
- Product key installation will fail if VAMT finds mismatched key types or editions. VAMT displays the failure status and continues the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](https://go.microsoft.com/fwlink/p/?linkid=238382)
-
- **Note**
- Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
-
-## Step 9: Export VAMT Data to a .cilx File
-
-In this step, you export VAMT from the workgroup’s host computer and save it in a .cilx file. Then you copy the .cilx file to removable media so that you can take it to a VAMT host computer that is connected to the Internet. In MAK proxy activation, it is critical to retain this file, because VAMT uses it to apply the Confirmation IDs (CIDs) to the proper products.
-
-1. Select the individual products that successfully received a product key in Step 8. If needed, sort and filter the list to find the products.
-2. In the right-side **Actions** pane, click **Export list** to open the **Export List** dialog box.
-3. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file, or enter the name of the .cilx file to which you want to export the data.
-4. Under **Export options**, select one of the following data-type options:
- - Export products and product keys.
- - Export products only.
- - Export proxy activation data only. Selecting this option ensures that the export contains only the license information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is selected. This option should be used when an enterprise’s security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab and, therefore, this type of data must be excluded from the .cilx file that is transferred to the Core Network VAMT host.
-5. If you have selected products to export, and not the entire set of data from the database, select the **Export selected product rows only** check box.
-6. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
-7. If you exported the list to a file on the host computer’s hard drive, copy the file to removable media, such as a disk drive, CD/DVD, or USB storage device.
-
- **Important**
- Choosing the **Export proxy activation data only** option excludes Personally Identifiable Information (PII) from being saved in the .cilx file. Therefore, the .cilx file must be re-imported into the SQL Server database on the isolated lab workgroup’s VAMT host computer, so that the CIDs that are requested from Microsoft (discussed in Step 10) can be correctly assigned to the computers in the isolated lab group.
-
-## Step 10: Acquire Confirmation IDs from Microsoft on the Internet-Connected Host Computer
-
-1. Insert the removable media into the VAMT host that has Internet access.
-2. Open VAMT. Make sure you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
-3. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
-4. In the **Acquire confirmation IDs for file** dialog box, browse to the location of the .cilx file that you exported from the isolated lab host computer, select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and collects the CIDs.
-5. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows the number of confirmation IDs that were successfully acquired, and the name of the file where the IDs were saved. Click **OK** to close the message.
-
-## Step 11: Import the .cilx File onto the VAMT Host within the Isolated Lab Workgroup
-
-1. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated lab.
-2. Open VAMT and verify that you are connected to the database that contains the computer with the product keys that you are activating.
-3. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
-4. In the **Import list** dialog box, browse to the location of the .cilx file that contains the CIDs, select the file, and then click **Open**.
-5. Click **OK** to import the file and to overwrite any conflicting data in the database with data from the file.
-6. VAMT displays a progress message while the data is being imported. Click **OK** when a message appears and confirms that the data has been successfully imported.
-
-## Step 12: Apply the CIDs and Activate the Isolated Lab Computers
-
-1. Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products.
-2. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
-
- VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Sataus** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
- The same status appears under the **Status of Last Action** column in the product list view in the center pane.
-
-## Step 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab
-
-If you have captured new images of the computers in the isolated lab, but the underlying hardware of those computers has not changed, VAMT can reactivate those computers using the CIDs that are stored in the database.
-1. Redeploy products to each computer, using the same computer names as before.
-2. Open VAMT.
-3. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
-
- VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
- The same status appears under the **Status of Last Action** column in the product list view in the center pane.
-
- **Note**
- Installing a MAK and overwriting the GVLK on the client products must be done with care. If the Windows activation initial grace period has expired, Windows will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are accessible on the network.
-
- RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
-
- **Note**
- Reapplying the same CID conserves the remaining activations on the MAK.
-
-## Related topics
-- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
-
-
+---
+title: Scenario 2 Proxy Activation (Windows 10)
+description: Scenario 2 Proxy Activation
+ms.assetid: ed5a8a56-d9aa-4895-918f-dd1898cb2c1a
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Scenario 2: Proxy Activation
+
+In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario:
+
+
+
+## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab
+
+1. Install VAMT on a host computer in the isolated lab workgroup. This computer can be running Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, or Windows Server® 2012.
+2. Click the VAMT icon in the **Start** menu to open VAMT.
+
+## Step 2: Configure the Windows Management Instrumentation Firewall Exception on Target Computers
+
+- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+ **Note**
+ To retrieve the license status on the selected computers, VAMT must have administrative permissions on the remote computers and WMI must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+## Step 3: Connect to a VAMT Database
+
+1. If the host computer in the isolated lab workgroup is not already connected to the database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database that contains the computers in the workgroup.
+2. Click **Connect**.
+3. If you are already connected to a database, in the center pane VAMT displays an inventory of the products and product keys, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to the Server** to open the **Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data.](manage-vamt-data.md)
+
+## Step 4: Discover Products
+
+1. In the left-side pane, in the **Products** node, click the product that you want to activate.
+2. To open the **Discover Products** dialog box, click **Discover products** in the right-side pane.
+3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query:
+ - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
+ - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that both IPv4 and IPv6addressing are supported.
+ - To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a".
+ - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks.
+4. Click **Search**.
+
+ The **Finding Computers** window appears and displays the search progress as the computers are located.
+
+When the search is complete, the products that VAMT discovers appear in the list view in the center pane.
+
+## Step 5: Sort and Filter the List of Computers
+
+You can sort the list of products so that it is easier to find the computers that require product keys to be activated:
+
+1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**.
+2. To sort the list further, you can click one of the column headings to sort by that column.
+3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane.
+
+## Step 6: Collect Status Information from the Computers in the Isolated Lab
+
+To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods:
+- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key.
+- To select computers which are not listed consecutively, hold down the **Ctrl** ley and select each computer for which you want to collect the status information.
+ **To collect status information from the selected computers**
+- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**.
+- VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane.
+
+ **Note**
+ If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
+
+## Step 7: Add Product Keys
+
+1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
+2. In the **Add Product Keys** dialog box, you can select from one of the following methods to add product keys:
+ - To add a single product key, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add key(s)**.
+ - To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
+
+ The keys that you have added appear in the **Product Keys** list view in the center pane.
+
+## Step 8: Install the Product Keys on the Isolated Lab Computers
+
+1. In the left-side pane, in the **Products** node click the product that you want to install keys onto.
+2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and Filter the List of Computers](#step-5-sort-and-filter-the-list-of-computers).
+3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time.
+6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+ The same status appears under the **Status of Last Action** column in the product list view in the center pane.
+
+ **Note**
+ Product key installation will fail if VAMT finds mismatched key types or editions. VAMT displays the failure status and continues the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](https://go.microsoft.com/fwlink/p/?linkid=238382)
+
+ **Note**
+ Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
+
+## Step 9: Export VAMT Data to a .cilx File
+
+In this step, you export VAMT from the workgroup’s host computer and save it in a .cilx file. Then you copy the .cilx file to removable media so that you can take it to a VAMT host computer that is connected to the Internet. In MAK proxy activation, it is critical to retain this file, because VAMT uses it to apply the Confirmation IDs (CIDs) to the proper products.
+
+1. Select the individual products that successfully received a product key in Step 8. If needed, sort and filter the list to find the products.
+2. In the right-side **Actions** pane, click **Export list** to open the **Export List** dialog box.
+3. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file, or enter the name of the .cilx file to which you want to export the data.
+4. Under **Export options**, select one of the following data-type options:
+ - Export products and product keys.
+ - Export products only.
+ - Export proxy activation data only. Selecting this option ensures that the export contains only the license information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is selected. This option should be used when an enterprise’s security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab and, therefore, this type of data must be excluded from the .cilx file that is transferred to the Core Network VAMT host.
+5. If you have selected products to export, and not the entire set of data from the database, select the **Export selected product rows only** check box.
+6. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
+7. If you exported the list to a file on the host computer’s hard drive, copy the file to removable media, such as a disk drive, CD/DVD, or USB storage device.
+
+ **Important**
+ Choosing the **Export proxy activation data only** option excludes Personally Identifiable Information (PII) from being saved in the .cilx file. Therefore, the .cilx file must be re-imported into the SQL Server database on the isolated lab workgroup’s VAMT host computer, so that the CIDs that are requested from Microsoft (discussed in Step 10) can be correctly assigned to the computers in the isolated lab group.
+
+## Step 10: Acquire Confirmation IDs from Microsoft on the Internet-Connected Host Computer
+
+1. Insert the removable media into the VAMT host that has Internet access.
+2. Open VAMT. Make sure you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
+3. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
+4. In the **Acquire confirmation IDs for file** dialog box, browse to the location of the .cilx file that you exported from the isolated lab host computer, select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and collects the CIDs.
+5. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows the number of confirmation IDs that were successfully acquired, and the name of the file where the IDs were saved. Click **OK** to close the message.
+
+## Step 11: Import the .cilx File onto the VAMT Host within the Isolated Lab Workgroup
+
+1. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated lab.
+2. Open VAMT and verify that you are connected to the database that contains the computer with the product keys that you are activating.
+3. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
+4. In the **Import list** dialog box, browse to the location of the .cilx file that contains the CIDs, select the file, and then click **Open**.
+5. Click **OK** to import the file and to overwrite any conflicting data in the database with data from the file.
+6. VAMT displays a progress message while the data is being imported. Click **OK** when a message appears and confirms that the data has been successfully imported.
+
+## Step 12: Apply the CIDs and Activate the Isolated Lab Computers
+
+1. Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products.
+2. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+
+ VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+ The same status appears under the **Status of Last Action** column in the product list view in the center pane.
+
+## Step 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab
+
+If you have captured new images of the computers in the isolated lab, but the underlying hardware of those computers has not changed, VAMT can reactivate those computers using the CIDs that are stored in the database.
+1. Redeploy products to each computer, using the same computer names as before.
+2. Open VAMT.
+3. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+
+ VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+ The same status appears under the **Status of Last Action** column in the product list view in the center pane.
+
+ **Note**
+ Installing a MAK and overwriting the GVLK on the client products must be done with care. If the Windows activation initial grace period has expired, Windows will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are accessible on the network.
+
+ RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
+
+ **Note**
+ Reapplying the same CID conserves the remaining activations on the MAK.
+
+## Related topics
+- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+
+
diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
index f23e9037a3..e54f6338f1 100644
--- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
+++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
@@ -1,75 +1,76 @@
----
-title: Use VAMT in Windows PowerShell (Windows 10)
-description: Use VAMT in Windows PowerShell
-ms.assetid: 13e0ceec-d827-4681-a5c3-8704349e3ba9
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Use VAMT in Windows PowerShell
-
-The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool.
-**To install PowerShell 3.0**
-- VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=218356).
- **To install the Windows Assessment and Deployment Kit**
-- In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK).
- **To prepare the VAMT PowerShell environment**
-- To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**.
-
- **Important**
- If you are using a computer that has an 64-bit processor, select **Windows PowerShell (x86)**. VAMT PowerShell cmdlets are supported for the x86 architecture only. You must use an x86 version of Windows PowerShell to import the VAMT module, which are available in these directories:
- - The x86 version of PowerShell is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
- - The x86 version of the PowerShell ISE is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell\_ise.exe
-- For all supported operating systems you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located.
-
- For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type:
-
- ``` ps1
- cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0”
- ```
-- Import the VAMT PowerShell module. To import the module, type the following at a command prompt:
- ``` syntax
- Import-Module .\VAMT.psd1
- ```
- Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`.
-
-## To Get Help for VAMT PowerShell cmdlets
-
-You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you are interested in. To view all of the Help content for a VAMT cmdlet, type:
-``` ps1
-get-help -all
-```
-For example, type:
-``` ps1
-get-help get-VamtProduct -all
-```
-
-**Warning**
-The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=242278).
-
-**To view VAMT PowerShell Help sections**
-
-1. To get the syntax to use with a cmdlet, type the following at a command prompt:
- ``` ps1
- get-help
- ```
- For example, type:
- ``` ps1
- get-help get-VamtProduct
- ```
-2. To see examples using a cmdlet, type:
- ``` ps1
- get-help -examples
- ```
- For example, type:
- ``` ps1
- get-help get-VamtProduct -examples
- ```
+---
+title: Use VAMT in Windows PowerShell (Windows 10)
+description: Use VAMT in Windows PowerShell
+ms.assetid: 13e0ceec-d827-4681-a5c3-8704349e3ba9
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Use VAMT in Windows PowerShell
+
+The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool.
+**To install PowerShell 3.0**
+- VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=218356).
+ **To install the Windows Assessment and Deployment Kit**
+- In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK).
+ **To prepare the VAMT PowerShell environment**
+- To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**.
+
+ **Important**
+ If you are using a computer that has an 64-bit processor, select **Windows PowerShell (x86)**. VAMT PowerShell cmdlets are supported for the x86 architecture only. You must use an x86 version of Windows PowerShell to import the VAMT module, which are available in these directories:
+ - The x86 version of PowerShell is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
+ - The x86 version of the PowerShell ISE is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell\_ise.exe
+- For all supported operating systems you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located.
+
+ For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type:
+
+ ``` powershell
+ cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0”
+ ```
+- Import the VAMT PowerShell module. To import the module, type the following at a command prompt:
+ ``` powershell
+ Import-Module .\VAMT.psd1
+ ```
+ Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`.
+
+## To Get Help for VAMT PowerShell cmdlets
+
+You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you are interested in. To view all of the Help content for a VAMT cmdlet, type:
+``` powershell
+get-help -all
+```
+For example, type:
+``` powershell
+get-help get-VamtProduct -all
+```
+
+**Warning**
+The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=242278).
+
+**To view VAMT PowerShell Help sections**
+
+1. To get the syntax to use with a cmdlet, type the following at a command prompt:
+ ``` powershell
+ get-help
+ ```
+ For example, type:
+ ``` powershell
+ get-help get-VamtProduct
+ ```
+2. To see examples using a cmdlet, type:
+ ``` powershell
+ get-help -examples
+ ```
+ For example, type:
+ ``` powershell
+ get-help get-VamtProduct -examples
+ ```
diff --git a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
index cc781ed87e..563e086966 100644
--- a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
+++ b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
@@ -1,45 +1,46 @@
----
-title: Windows Autopilot device guidelines
-ms.reviewer:
-manager: laurawi
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot device guidelines
-
-**Applies to**
-
-- Windows 10
-
-## Hardware and firmware best practice guidelines for Windows Autopilot
-
-All devices used with Windows Autopilot should meet the [minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) for Windows 10.
-
-The following additional best practices ensure that devices can easily be provisioned by organizations as part of the Windows Autopilot deployment process:
-- Ensure that the TPM 2.0 is enabled and in a good state (not in Reduced Functionality Mode) by default on devices intended for Windows Autopilot self-deploying mode.
-- The OEM provisions unique tuple info (SmbiosSystemManufacturer, SmbiosSystemProductName, SmbiosSystemSerialNumber) or PKID + SmbiosSystemSerialNumber into the [SMBIOS fields](https://docs.microsoft.com/windows-hardware/drivers/bringup/smbios) per Microsoft specification (Manufacturer, Product Name and Serial Number stored in SMBIOS Type 1 04h, Type 1 05h and Type 1 07h).
-- The OEM uploads 4K Hardware Hashes obtained using OA3 Tool RS3+ run in Audit mode on full OS to Microsoft via CBR report prior to shipping devices to an Autopilot customer or channel partner.
-- As a best practice, Microsoft requires that OEM shipping drivers are published to Windows Update within 30 days of the CBR being submitted, and system firmware and driver updates are published to Windows Update within 14 days
-- The OEM ensures that the PKID provisioned in the SMBIOS is passed on to the channel.
-
-## Software best practice guidelines for Windows Autopilot
-
-- The Windows Autopilot device should be preinstalled with only a Windows 10 base image plus drivers and Office 365 Pro Plus Retail (C2R).
-- Unless explicitly requested by the customer, no other preinstalled software should be included.
- - Per OEM Policy, Windows 10 features, including built-in apps, should not be disabled or removed.
-
-## Related topics
-
-[Windows Autopilot customer consent](registration-auth.md)
-[Motherboard replacement scenario guidance](autopilot-mbr.md)
+---
+title: Windows Autopilot device guidelines
+ms.reviewer:
+manager: laurawi
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot device guidelines
+
+**Applies to**
+
+- Windows 10
+
+## Hardware and firmware best practice guidelines for Windows Autopilot
+
+All devices used with Windows Autopilot should meet the [minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) for Windows 10.
+
+The following additional best practices ensure that devices can easily be provisioned by organizations as part of the Windows Autopilot deployment process:
+- Ensure that the TPM 2.0 is enabled and in a good state (not in Reduced Functionality Mode) by default on devices intended for Windows Autopilot self-deploying mode.
+- The OEM provisions unique tuple info (SmbiosSystemManufacturer, SmbiosSystemProductName, SmbiosSystemSerialNumber) or PKID + SmbiosSystemSerialNumber into the [SMBIOS fields](https://docs.microsoft.com/windows-hardware/drivers/bringup/smbios) per Microsoft specification (Manufacturer, Product Name and Serial Number stored in SMBIOS Type 1 04h, Type 1 05h and Type 1 07h).
+- The OEM uploads 4K Hardware Hashes obtained using OA3 Tool RS3+ run in Audit mode on full OS to Microsoft via CBR report prior to shipping devices to an Autopilot customer or channel partner.
+- As a best practice, Microsoft requires that OEM shipping drivers are published to Windows Update within 30 days of the CBR being submitted, and system firmware and driver updates are published to Windows Update within 14 days
+- The OEM ensures that the PKID provisioned in the SMBIOS is passed on to the channel.
+
+## Software best practice guidelines for Windows Autopilot
+
+- The Windows Autopilot device should be preinstalled with only a Windows 10 base image plus drivers and Office 365 Pro Plus Retail (C2R).
+- Unless explicitly requested by the customer, no other preinstalled software should be included.
+ - Per OEM Policy, Windows 10 features, including built-in apps, should not be disabled or removed.
+
+## Related topics
+
+[Windows Autopilot customer consent](registration-auth.md)
+[Motherboard replacement scenario guidance](autopilot-mbr.md)
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 5b29de8d83..294a31c04b 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,850 +1,850 @@
----
-title: Demonstrate Autopilot deployment
-ms.reviewer:
-manager: laurawi
-description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
-ms.custom: autopilot
----
-
-
-# Demonstrate Autopilot deployment
-
-**Applies to**
-
-- Windows 10
-
-To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
-
-In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
-
->Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
-
-The following video provides an overview of the process:
-
-
-
-
->For a list of terms used in this guide, see the [Glossary](#glossary) section.
-
-## Prerequisites
-
-These are the things you'll need to complete this lab:
-
Windows 10 installation media
Windows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
-
Internet access
If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
-
Hyper-V or a physical device running Windows 10
The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
-
A Premium Intune account
This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
-
-## Procedures
-
-A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
-
-[Verify support for Hyper-V](#verify-support-for-hyper-v)
- [Enable Hyper-V](#enable-hyper-v)
- [Create a demo VM](#create-a-demo-vm)
- [Set ISO file location](#set-iso-file-location)
- [Determine network adapter name](#determine-network-adapter-name)
- [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
- [Install Windows 10](#install-windows-10)
- [Capture the hardware ID](#capture-the-hardware-id)
- [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
- [Verify subscription level](#verify-subscription-level)
- [Configure company branding](#configure-company-branding)
- [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
- [Register your VM](#register-your-vm)
- [Autopilot registration using Intune](#autopilot-registration-using-intune)
- [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
- [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
- [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
- [Assign the profile](#assign-the-profile)
- [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
- [See Windows Autopilot in action](#see-windows-autopilot-in-action)
- [Remove devices from Autopilot](#remove-devices-from-autopilot)
- [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
- [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
- [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
- [Add a Win32 app](#add-a-win32-app)
- [Prepare the app for Intune](#prepare-the-app-for-intune)
- [Create app in Intune](#create-app-in-intune)
- [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
- [Add Office 365](#add-office-365)
- [Create app in Intune](#create-app-in-intune)
- [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
- [Glossary](#glossary)
-
-## Verify support for Hyper-V
-
-If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
-
->If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
-
-If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
-
-## Enable Hyper-V
-
-To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command:
-
-```powershell
-Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
-```
-
-This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command:
-
-```powershell
-Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
-```
-
-When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
-
->Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
-
- 
-
- 
-
-
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
-
-After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
-
-To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
-
-## Create a demo VM
-
-Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
-
-To use Windows Powershell we just need to know two things:
-
-1. The location of the Windows 10 ISO file.
- - In the example, we assume the location is **c:\iso\win10-eval.iso**.
-2. The name of the network interface that connects to the Internet.
- - In the example, we use a Windows PowerShell command to determine this automatically.
-
-After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
-
-### Set ISO file location
-
-You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
-- When asked to select a platform, choose **64 bit**.
-
-After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
-
-1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
-2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
-3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
-
-### Determine network adapter name
-
-The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
-
-```powershell
-(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
-```
-
-The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
-
-For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
-
-### Use Windows PowerShell to create the demo VM
-
-All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
-
->[!IMPORTANT]
->**VM switch**: a VM switch is how Hyper-V connects VMs to a network.
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
-
-```powershell
-New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
-New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
-Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
-Start-VM -VMName WindowsAutopilot
-```
-
-After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager.
-
-See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
-
-
-
-### Install Windows 10
-
-Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
-
- 
- 
- 
- 
- 
- 
-
->After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
-
- 
-
-Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
-
- 
-
-To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
-
-```powershell
-Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
-```
-
-Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
-
-## Capture the hardware ID
-
->NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
-
-Follow these steps to run the PS script:
-
-1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
-
- ```powershell
- md c:\HWID
- Set-Location c:\HWID
- Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
- Install-Script -Name Get-WindowsAutopilotInfo -Force
- $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
- Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
- ```
-
-When you are prompted to install the NuGet package, choose **Yes**.
-
-See the sample output below.
-
-
-PS C:\> md c:\HWID
-
- Directory: C:\
-
-Mode LastWriteTime Length Name
----- ------------- ------ ----
-d----- 3/14/2019 11:33 AM HWID
-
-PS C:\> Set-Location c:\HWID
-PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
-PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
-
-NuGet provider is required to continue
-PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
- provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
-'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
- 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
-import the NuGet provider now?
-[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
-PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-PS C:\HWID> dir
-
- Directory: C:\HWID
-
-Mode LastWriteTime Length Name
----- ------------- ------ ----
--a---- 3/14/2019 11:33 AM 8184 AutopilotHWID.csv
-
-PS C:\HWID>
-
-
-Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
-
-**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
-
-
-
-You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
-
-If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
-
->[!NOTE]
->When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
-
-## Reset the VM back to Out-Of-Box-Experience (OOBE)
-
-With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
-
-On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
-Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
-
-
-
-Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
-
-
-
-## Verify subscription level
-
-For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
-
-**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
-
-
-
-If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
-
-To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
-
-
-
-## Configure company branding
-
-If you already have company branding configured in Azure Active Directory, you can skip this step.
-
->[!IMPORTANT]
->Make sure to sign-in with a Global Administrator account.
-
-Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
-
-
-
-When you are finished, click **Save**.
-
->[!NOTE]
->Changes to company branding can take up to 30 minutes to apply.
-
-## Configure Microsoft Intune auto-enrollment
-
-If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
-
-Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**.
-
-For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
-
-
-
-## Register your VM
-
-Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB.
-
-### Autopilot registration using Intune
-
-1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
-
- 
-
- >[!NOTE]
- >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
-
-2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
-
- 
-
- You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
-
-3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
-
-4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
-
- 
-
-### Autopilot registration using MSfB
-
->[!IMPORTANT]
->If you've already registered your VM (or device) using Intune, then skip this step.
-
-Optional: see the following video for an overview of the process.
-
-
-
-> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
-
-First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one.
-
-Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page.
-
-Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
-
-
-
-Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
-
-
-
-## Create and assign a Windows Autopilot deployment profile
-
->[!IMPORTANT]
->Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
-
-Pick one:
-- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
-- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
-
-### Create a Windows Autopilot deployment profile using Intune
-
->[!NOTE]
->Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
-
-
-
->The example above lists both a physical device and a VM. Your list should only include only one of these.
-
-To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
-
-
-
-Click on **Create profile**.
-
-
-
-On the **Create profile** blade, use the following values:
-
-| Setting | Value |
-|---|---|
-| Name | Autopilot Lab profile |
-| Description | blank |
-| Convert all targeted devices to Autopilot | No |
-| Deployment mode | User-driven |
-| Join to Azure AD as | Azure AD joined |
-
-Click on **Out-of-box experience (OOBE)** and configure the following settings:
-
-| Setting | Value |
-|---|---|
-| EULA | Hide |
-| Privacy Settings | Hide |
-| Hide change account options | Hide |
-| User account type | Standard |
-| Apply device name template | No |
-
-See the following example:
-
-
-
-Click on **OK** and then click on **Create**.
-
->If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
-
-#### Assign the profile
-
-Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
-
-To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**:
-
-
-
-Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
-
-Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
-
-
-
-Now click **Create** to finish creating the new group.
-
-Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
-
-With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
-
-From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
-
-
-
-Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
-
-
-
-Click **Select** and then click **Save**.
-
-
-
-It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
-
-### Create a Windows Autopilot deployment profile using MSfB
-
-If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
-
-A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below.
-
-First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
-
-Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
-
-
-
-Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
-
-To CREATE the profile:
-
-Select your device from the **Devices** list:
-
-
-
-On the Autopilot deployment dropdown menu, select **Create new profile**:
-
-
-
-Name the profile, choose your desired settings, and then click **Create**:
-
-
-
-The new profile is added to the Autopilot deployment list.
-
-To ASSIGN the profile:
-
-To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
-
-
-
-Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
-
-
-
->[!IMPORTANT]
->The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
-
-## See Windows Autopilot in action
-
-If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
-
-
-
-Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
-
->[!TIP]
->If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
-
-- Ensure your device has an internet connection.
-- Turn on the device
-- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
-
-
-
-Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
-
-
-
-Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
-
-Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
-
-## Remove devices from Autopilot
-
-To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
-
-### Delete (deregister) Autopilot device
-
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
-
-
-
-Click **X** when challenged to complete the operation:
-
-
-
-This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-
-
-
-The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
-
-To remove the device from the Autopilot program, select the device and click Delete.
-
-
-
-A warning message appears reminding you to first remove the device from Intune, which we previously did.
-
-
-
-At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
-
-
-
-Once the device no longer appears, you are free to reuse it for other purposes.
-
-If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
-
-
-
-## Appendix A: Verify support for Hyper-V
-
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
-
-To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
-
-C:>systeminfo
-
-...
-Hyper-V Requirements: VM Monitor Mode Extensions: Yes
- Virtualization Enabled In Firmware: Yes
- Second Level Address Translation: Yes
- Data Execution Prevention Available: Yes
-
-
-In this example, the computer supports SLAT and Hyper-V.
-
->If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
-
-You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
-
-
-C:>coreinfo -v
-
-Coreinfo v3.31 - Dump information on system CPU and memory topology
-Copyright (C) 2008-2014 Mark Russinovich
-Sysinternals - www.sysinternals.com
-
-Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-Microcode signature: 0000001B
-HYPERVISOR - Hypervisor is present
-VMX * Supports Intel hardware-assisted virtualization
-EPT * Supports Intel extended page tables (SLAT)
-
-
-Note: A 64-bit operating system is required to run Hyper-V.
-
-## Appendix B: Adding apps to your profile
-
-### Add a Win32 app
-
-#### Prepare the app for Intune
-
-Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool:
-
-1. The source folder for your application
-2. The name of the setup executable file
-3. The output folder for the new file
-
-For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
-
-Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi.
-
-Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
-
-
-After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
-
-#### Create app in Intune
-
-Log into the Azure portal and select **Intune**.
-
-Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
-
-
-Under **App Type**, select **Windows app (Win32)**:
-
-
-
-On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
-
-
-
-On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
-
-
-
-On the **Program Configuration** blade, supply the install and uninstall commands:
-
-Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
-Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
-
-NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-
-
-
-Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
-
-Click **OK** to save your input and activate the **Requirements** blade.
-
-On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
-
-
-
-Next, configure the **Detection rules**. For our purposes, we will select manual format:
-
-
-
-Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
-
-
-
-Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
-
-**Return codes**: For our purposes, leave the return codes at their default values:
-
-
-
-Click **OK** to exit.
-
-You may skip configuring the final **Scope (Tags)** blade.
-
-Click the **Add** button to finalize and save your app package.
-
-Once the indicator message says the addition has completed.
-
-
-
-You will be able to find your app in your app list:
-
-
-
-#### Assign the app to your Intune profile
-
-**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
-
-In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
-
-
-Select **Add Group** to open the **Add group** pane that is related to the app.
-
-For our purposes, select *8Required** from the **Assignment type** dropdown menu:
-
->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
-
-Select **Included Groups** and assign the groups you previously created that will use this app:
-
-
-
-
-
-In the **Select groups** pane, click the **Select** button.
-
-In the **Assign group** pane, select **OK**.
-
-In the **Add group** pane, select **OK**.
-
-In the app **Assignments** pane, select **Save**.
-
-
-
-At this point, you have completed steps to add a Win32 app to Intune.
-
-For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management).
-
-### Add Office 365
-
-#### Create app in Intune
-
-Log into the Azure portal and select **Intune**.
-
-Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
-
-
-Under **App Type**, select **Office 365 Suite > Windows 10**:
-
-
-
-Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
-
-
-
-Click **OK**.
-
-In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
-
->Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
-
-
-Click **OK**.
-
-In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
-
-
-
-Click **OK** and then click **Add**.
-
-#### Assign the app to your Intune profile
-
-**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
-
-In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
-
-
-Select **Add Group** to open the **Add group** pane that is related to the app.
-
-For our purposes, select **Required** from the **Assignment type** dropdown menu:
-
->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
-
-Select **Included Groups** and assign the groups you previously created that will use this app:
-
-
-
-
-
-In the **Select groups** pane, click the **Select** button.
-
-In the **Assign group** pane, select **OK**.
-
-In the **Add group** pane, select **OK**.
-
-In the app **Assignments** pane, select **Save**.
-
-
-
-At this point, you have completed steps to add Office to Intune.
-
-For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365).
-
-If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
-
-
-
-## Glossary
-
-
-
OEM
Original Equipment Manufacturer
-
CSV
Comma Separated Values
-
MPC
Microsoft Partner Center
-
CSP
Cloud Solution Provider
-
MSfB
Microsoft Store for Business
-
AAD
Azure Active Directory
-
4K HH
4K Hardware Hash
-
CBR
Computer Build Report
-
EC
Enterprise Commerce (server)
-
DDS
Device Directory Service
-
OOBE
Out of the Box Experience
-
VM
Virtual Machine
-
+---
+title: Demonstrate Autopilot deployment
+ms.reviewer:
+manager: laurawi
+description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+ms.custom: autopilot
+---
+
+
+# Demonstrate Autopilot deployment
+
+**Applies to**
+
+- Windows 10
+
+To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
+
+In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
+
+>Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
+
+The following video provides an overview of the process:
+
+
+
+
+>For a list of terms used in this guide, see the [Glossary](#glossary) section.
+
+## Prerequisites
+
+These are the things you'll need to complete this lab:
+
Windows 10 installation media
Windows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
+
Internet access
If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
+
Hyper-V or a physical device running Windows 10
The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
+
A Premium Intune account
This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
+
+## Procedures
+
+A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
+
+[Verify support for Hyper-V](#verify-support-for-hyper-v)
+ [Enable Hyper-V](#enable-hyper-v)
+ [Create a demo VM](#create-a-demo-vm)
+ [Set ISO file location](#set-iso-file-location)
+ [Determine network adapter name](#determine-network-adapter-name)
+ [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
+ [Install Windows 10](#install-windows-10)
+ [Capture the hardware ID](#capture-the-hardware-id)
+ [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
+ [Verify subscription level](#verify-subscription-level)
+ [Configure company branding](#configure-company-branding)
+ [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
+ [Register your VM](#register-your-vm)
+ [Autopilot registration using Intune](#autopilot-registration-using-intune)
+ [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
+ [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
+ [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
+ [Assign the profile](#assign-the-profile)
+ [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
+ [See Windows Autopilot in action](#see-windows-autopilot-in-action)
+ [Remove devices from Autopilot](#remove-devices-from-autopilot)
+ [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
+ [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
+ [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
+ [Add a Win32 app](#add-a-win32-app)
+ [Prepare the app for Intune](#prepare-the-app-for-intune)
+ [Create app in Intune](#create-app-in-intune)
+ [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
+ [Add Office 365](#add-office-365)
+ [Create app in Intune](#create-app-in-intune)
+ [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
+ [Glossary](#glossary)
+
+## Verify support for Hyper-V
+
+If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
+
+>If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
+
+If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
+
+## Enable Hyper-V
+
+To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command:
+
+```powershell
+Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
+```
+
+This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command:
+
+```powershell
+Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
+```
+
+When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
+
+>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+
+ 
+
+ 
+
+
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
+
+After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
+
+To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
+
+## Create a demo VM
+
+Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
+
+To use Windows Powershell we just need to know two things:
+
+1. The location of the Windows 10 ISO file.
+ - In the example, we assume the location is **c:\iso\win10-eval.iso**.
+2. The name of the network interface that connects to the Internet.
+ - In the example, we use a Windows PowerShell command to determine this automatically.
+
+After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
+
+### Set ISO file location
+
+You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
+- When asked to select a platform, choose **64 bit**.
+
+After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
+
+1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
+2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
+3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
+
+### Determine network adapter name
+
+The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
+
+```powershell
+(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+```
+
+The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
+
+For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
+
+### Use Windows PowerShell to create the demo VM
+
+All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
+
+>[!IMPORTANT]
+>**VM switch**: a VM switch is how Hyper-V connects VMs to a network.
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
+
+```powershell
+New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
+Start-VM -VMName WindowsAutopilot
+```
+
+After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager.
+
+See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
+
+
+
+### Install Windows 10
+
+Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
+
+ 
+ 
+ 
+ 
+ 
+ 
+
+>After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
+
+ 
+
+Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
+
+ 
+
+To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
+
+```powershell
+Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
+```
+
+Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
+
+## Capture the hardware ID
+
+>NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+
+Follow these steps to run the PS script:
+
+1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
+
+ ```powershell
+ md c:\HWID
+ Set-Location c:\HWID
+ Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+ Install-Script -Name Get-WindowsAutopilotInfo -Force
+ $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+ Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+ ```
+
+When you are prompted to install the NuGet package, choose **Yes**.
+
+See the sample output below.
+
+
+PS C:\> md c:\HWID
+
+ Directory: C:\
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+d----- 3/14/2019 11:33 AM HWID
+
+PS C:\> Set-Location c:\HWID
+PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
+
+NuGet provider is required to continue
+PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
+ provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
+'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
+ 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
+import the NuGet provider now?
+[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
+PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+PS C:\HWID> dir
+
+ Directory: C:\HWID
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+-a---- 3/14/2019 11:33 AM 8184 AutopilotHWID.csv
+
+PS C:\HWID>
+
+
+Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
+
+**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
+
+
+
+You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+
+If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
+
+>[!NOTE]
+>When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
+
+## Reset the VM back to Out-Of-Box-Experience (OOBE)
+
+With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
+
+On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
+Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
+
+
+
+Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
+
+
+
+## Verify subscription level
+
+For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
+
+**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
+
+
+
+If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
+
+To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
+
+
+
+## Configure company branding
+
+If you already have company branding configured in Azure Active Directory, you can skip this step.
+
+>[!IMPORTANT]
+>Make sure to sign-in with a Global Administrator account.
+
+Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
+
+
+
+When you are finished, click **Save**.
+
+>[!NOTE]
+>Changes to company branding can take up to 30 minutes to apply.
+
+## Configure Microsoft Intune auto-enrollment
+
+If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
+
+Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**.
+
+For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
+
+
+
+## Register your VM
+
+Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB.
+
+### Autopilot registration using Intune
+
+1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
+
+ 
+
+ >[!NOTE]
+ >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
+
+2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
+
+ 
+
+ You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
+
+3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
+
+4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
+
+ 
+
+### Autopilot registration using MSfB
+
+>[!IMPORTANT]
+>If you've already registered your VM (or device) using Intune, then skip this step.
+
+Optional: see the following video for an overview of the process.
+
+
+
+> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
+
+First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one.
+
+Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page.
+
+Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
+
+
+
+Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
+
+
+
+## Create and assign a Windows Autopilot deployment profile
+
+>[!IMPORTANT]
+>Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
+
+Pick one:
+- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
+- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
+
+### Create a Windows Autopilot deployment profile using Intune
+
+>[!NOTE]
+>Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
+
+
+
+>The example above lists both a physical device and a VM. Your list should only include only one of these.
+
+To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
+
+
+
+Click on **Create profile**.
+
+
+
+On the **Create profile** blade, use the following values:
+
+| Setting | Value |
+|---|---|
+| Name | Autopilot Lab profile |
+| Description | blank |
+| Convert all targeted devices to Autopilot | No |
+| Deployment mode | User-driven |
+| Join to Azure AD as | Azure AD joined |
+
+Click on **Out-of-box experience (OOBE)** and configure the following settings:
+
+| Setting | Value |
+|---|---|
+| EULA | Hide |
+| Privacy Settings | Hide |
+| Hide change account options | Hide |
+| User account type | Standard |
+| Apply device name template | No |
+
+See the following example:
+
+
+
+Click on **OK** and then click on **Create**.
+
+>If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
+
+#### Assign the profile
+
+Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
+
+To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**:
+
+
+
+Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
+
+Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
+
+
+
+Now click **Create** to finish creating the new group.
+
+Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
+
+With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
+
+From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
+
+
+
+Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
+
+
+
+Click **Select** and then click **Save**.
+
+
+
+It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
+
+### Create a Windows Autopilot deployment profile using MSfB
+
+If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
+
+A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below.
+
+First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
+
+Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
+
+
+
+Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
+
+To CREATE the profile:
+
+Select your device from the **Devices** list:
+
+
+
+On the Autopilot deployment dropdown menu, select **Create new profile**:
+
+
+
+Name the profile, choose your desired settings, and then click **Create**:
+
+
+
+The new profile is added to the Autopilot deployment list.
+
+To ASSIGN the profile:
+
+To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
+
+
+
+Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
+
+
+
+>[!IMPORTANT]
+>The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
+
+## See Windows Autopilot in action
+
+If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
+
+
+
+Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
+
+>[!TIP]
+>If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+
+- Ensure your device has an internet connection.
+- Turn on the device
+- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
+
+
+
+Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
+
+
+
+Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
+
+Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
+
+## Remove devices from Autopilot
+
+To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
+
+### Delete (deregister) Autopilot device
+
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
+
+
+
+Click **X** when challenged to complete the operation:
+
+
+
+This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
+
+
+
+The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
+
+To remove the device from the Autopilot program, select the device and click Delete.
+
+
+
+A warning message appears reminding you to first remove the device from Intune, which we previously did.
+
+
+
+At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
+
+
+
+Once the device no longer appears, you are free to reuse it for other purposes.
+
+If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
+
+
+
+## Appendix A: Verify support for Hyper-V
+
+Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+
+To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
+
+
+C:>systeminfo
+
+...
+Hyper-V Requirements: VM Monitor Mode Extensions: Yes
+ Virtualization Enabled In Firmware: Yes
+ Second Level Address Translation: Yes
+ Data Execution Prevention Available: Yes
+
+
+In this example, the computer supports SLAT and Hyper-V.
+
+>If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+
+You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
+
+
+C:>coreinfo -v
+
+Coreinfo v3.31 - Dump information on system CPU and memory topology
+Copyright (C) 2008-2014 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+Microcode signature: 0000001B
+HYPERVISOR - Hypervisor is present
+VMX * Supports Intel hardware-assisted virtualization
+EPT * Supports Intel extended page tables (SLAT)
+
+
+Note: A 64-bit operating system is required to run Hyper-V.
+
+## Appendix B: Adding apps to your profile
+
+### Add a Win32 app
+
+#### Prepare the app for Intune
+
+Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+
+1. The source folder for your application
+2. The name of the setup executable file
+3. The output folder for the new file
+
+For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
+
+Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi.
+
+Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
+
+
+
+After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
+
+#### Create app in Intune
+
+Log into the Azure portal and select **Intune**.
+
+Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+
+
+
+Under **App Type**, select **Windows app (Win32)**:
+
+
+
+On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
+
+
+
+On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
+
+
+
+On the **Program Configuration** blade, supply the install and uninstall commands:
+
+Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
+Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
+
+NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
+
+
+
+Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+
+Click **OK** to save your input and activate the **Requirements** blade.
+
+On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
+
+
+
+Next, configure the **Detection rules**. For our purposes, we will select manual format:
+
+
+
+Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
+
+
+
+Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
+
+**Return codes**: For our purposes, leave the return codes at their default values:
+
+
+
+Click **OK** to exit.
+
+You may skip configuring the final **Scope (Tags)** blade.
+
+Click the **Add** button to finalize and save your app package.
+
+Once the indicator message says the addition has completed.
+
+
+
+You will be able to find your app in your app list:
+
+
+
+#### Assign the app to your Intune profile
+
+**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
+In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
+
+
+
+Select **Add Group** to open the **Add group** pane that is related to the app.
+
+For our purposes, select *8Required** from the **Assignment type** dropdown menu:
+
+>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+
+Select **Included Groups** and assign the groups you previously created that will use this app:
+
+
+
+
+
+In the **Select groups** pane, click the **Select** button.
+
+In the **Assign group** pane, select **OK**.
+
+In the **Add group** pane, select **OK**.
+
+In the app **Assignments** pane, select **Save**.
+
+
+
+At this point, you have completed steps to add a Win32 app to Intune.
+
+For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management).
+
+### Add Office 365
+
+#### Create app in Intune
+
+Log into the Azure portal and select **Intune**.
+
+Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+
+
+
+Under **App Type**, select **Office 365 Suite > Windows 10**:
+
+
+
+Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
+
+
+
+Click **OK**.
+
+In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
+
+>Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
+
+
+
+Click **OK**.
+
+In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
+
+
+
+Click **OK** and then click **Add**.
+
+#### Assign the app to your Intune profile
+
+**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
+In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
+
+
+
+Select **Add Group** to open the **Add group** pane that is related to the app.
+
+For our purposes, select **Required** from the **Assignment type** dropdown menu:
+
+>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+
+Select **Included Groups** and assign the groups you previously created that will use this app:
+
+
+
+
+
+In the **Select groups** pane, click the **Select** button.
+
+In the **Assign group** pane, select **OK**.
+
+In the **Add group** pane, select **OK**.
+
+In the app **Assignments** pane, select **Save**.
+
+
+
+At this point, you have completed steps to add Office to Intune.
+
+For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365).
+
+If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
+
+
+
+## Glossary
+
+
+
OEM
Original Equipment Manufacturer
+
CSV
Comma Separated Values
+
MPC
Microsoft Partner Center
+
CSP
Cloud Solution Provider
+
MSfB
Microsoft Store for Business
+
AAD
Azure Active Directory
+
4K HH
4K Hardware Hash
+
CBR
Computer Build Report
+
EC
Enterprise Commerce (server)
+
DDS
Device Directory Service
+
OOBE
Out of the Box Experience
+
VM
Virtual Machine
+
diff --git a/windows/deployment/windows-autopilot/index.md b/windows/deployment/windows-autopilot/index.md
index 61d676afdc..efeffc2e04 100644
--- a/windows/deployment/windows-autopilot/index.md
+++ b/windows/deployment/windows-autopilot/index.md
@@ -1,76 +1,77 @@
----
-title: Windows Autopilot deployment
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot deployment
-
-**Applies to**
-
-- Windows 10
-
-Windows Autopilot is a zero-touch, self-service Windows deployment platform introduced with Windows 10, version 1703. The Windows Autopilot process runs immediately after powering on a new computer for the first time, enabling employees to configure new devices to be business-ready with just a few clicks.
-
-This guide is intended for use by an IT-specialist, system architect, or business decision maker. The guide provides information about how Windows Autopilot deployment works, including detailed requirements, deployment scenarios, and platform capabilities. The document highlights options that are available to you when planning a modern, cloud-joined Windows 10 deployment strategy. Links are provided to detailed step by step configuration procedures.
-
-## In this guide
-
-
Interested in trying out Autopilot? See this step-by-step walkthrough to test Windows Autopilot on a virtual machine or physical device with a free 30-day trial premium Intune account.
-
Using Windows Autopilot Reset, a device can be restored to its original settings, taking it back to a business-ready state. Both local and remote reset scenarios are discussed.
-
This topic describes how Windows Autopilot can be used to convert Windows 7 or Windows 8.1 domain-joined computers to AAD-joined computers running Windows 10.
-
Information about how to deal with Autopilot registration and device repair issues is provided.
-
-
-## Related topics
-
-[Windows Autopilot](https://www.microsoft.com/windowsforbusiness/windows-autopilot)
+---
+title: Windows Autopilot deployment
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.reviewer: mniehaus
+manager: laurawi
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot deployment
+
+**Applies to**
+
+- Windows 10
+
+Windows Autopilot is a zero-touch, self-service Windows deployment platform introduced with Windows 10, version 1703. The Windows Autopilot process runs immediately after powering on a new computer for the first time, enabling employees to configure new devices to be business-ready with just a few clicks.
+
+This guide is intended for use by an IT-specialist, system architect, or business decision maker. The guide provides information about how Windows Autopilot deployment works, including detailed requirements, deployment scenarios, and platform capabilities. The document highlights options that are available to you when planning a modern, cloud-joined Windows 10 deployment strategy. Links are provided to detailed step by step configuration procedures.
+
+## In this guide
+
+
Interested in trying out Autopilot? See this step-by-step walkthrough to test Windows Autopilot on a virtual machine or physical device with a free 30-day trial premium Intune account.
+
Using Windows Autopilot Reset, a device can be restored to its original settings, taking it back to a business-ready state. Both local and remote reset scenarios are discussed.
+
This topic describes how Windows Autopilot can be used to convert Windows 7 or Windows 8.1 domain-joined computers to AAD-joined computers running Windows 10.
+
Information about how to deal with Autopilot registration and device repair issues is provided.
+
+
+## Related topics
+
+[Windows Autopilot](https://www.microsoft.com/windowsforbusiness/windows-autopilot)
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
index 34ca5dcbde..939b4ac431 100644
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -1,73 +1,74 @@
----
-title: Windows Autopilot Self-Deploying mode
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Windows Autopilot Self-Deploying mode
-
-**Applies to: Windows 10, version 1903 or later**
-
-Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).
-
-Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned.
-
->[!NOTE]
->Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.
-
-Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details.
-
->[!NOTE]
->Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device.
-
-
-
-## Requirements
-
-Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.)
-
->[!IMPORTANT]
->If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported).. Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC.
-
-In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details.
-
-## Step by step
-
-In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed:
-
-- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.)
-- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device.
-- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete.
-
-## Validation
-
-When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed:
-
-- Once connected to a network, the Autopilot profile will be downloaded.
-- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required:
- - If multiple languages are preinstalled in Windows 10, the user must pick a language.
- - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
-- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
-- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
-- The device will join Azure Active Directory.
-- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
-- The [enrollment status page](enrollment-status.md) will be displayed.
-- Depending on the device settings deployed, the device will either:
- - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
- - Automatically sign in as a local account, for devices configured as a kiosk or digital signage.
-
->[!NOTE]
->Deploying EAS policies using self-deploying mode for kiosk deployments will cause auto-logon functionality to fail.
-
-In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
+---
+title: Windows Autopilot Self-Deploying mode
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.reviewer: mniehaus
+manager: laurawi
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Windows Autopilot Self-Deploying mode
+
+**Applies to: Windows 10, version 1903 or later**
+
+Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).
+
+Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned.
+
+>[!NOTE]
+>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.
+
+Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details.
+
+>[!NOTE]
+>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. For more information see [Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) and [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md).
+
+
+
+## Requirements
+
+Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.)
+
+>[!IMPORTANT]
+>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported).. Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC.
+
+In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details.
+
+## Step by step
+
+In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed:
+
+- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.)
+- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device.
+- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete.
+
+## Validation
+
+When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed:
+
+- Once connected to a network, the Autopilot profile will be downloaded.
+- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required:
+ - If multiple languages are preinstalled in Windows 10, the user must pick a language.
+ - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
+- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
+- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
+- The device will join Azure Active Directory.
+- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
+- The [enrollment status page](enrollment-status.md) will be displayed.
+- Depending on the device settings deployed, the device will either:
+ - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
+ - Automatically sign in as a local account, for devices configured as a kiosk or digital signage.
+
+>[!NOTE]
+>Deploying EAS policies using self-deploying mode for kiosk deployments will cause auto-logon functionality to fail.
+
+In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md
index 9862d47c2b..75e7e3a334 100644
--- a/windows/deployment/windows-autopilot/white-glove.md
+++ b/windows/deployment/windows-autopilot/white-glove.md
@@ -1,114 +1,116 @@
----
-title: Windows Autopilot for white glove deployment
-description: Windows Autopilot for white glove deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, pre-provisioning
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: low
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Windows Autopilot for white glove deployment
-
-**Applies to: Windows 10, version 1903**
-
-Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready.
-
- 
-
-Windows Autopilot can also provide a white glove service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
-
-With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few necessary settings and polices and then they can begin using their device.
-
- 
-
-Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven [Azure AD join](user-driven-aad.md) and [Hybrid Azure AD](user-driven-hybrid.md) join scenarios.
-
-## Prerequisites
-
-In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following:
-
-- Windows 10, version 1903 or later is required.
-- An Intune subscription.
-- Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements.
-- Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
-
->[!IMPORTANT]
->Because the OEM or vendor performs the white glove process, this doesn’t require access to an end-user's on-prem domain infrastructure. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-prem by the end-user.
-
-## Preparation
-
-Devices slated for WG provisioning are registered for Autopilot via the normal registration process.
-
-To be ready to try out Windows Autopilot for white glove deployment, ensure that you can first successfully use existing Windows Autopilot user-driven scenarios:
-
-- User-driven Azure AD join. Devices can be deployed using Windows Autopilot and joined to an Azure Active Directory tenant.
-- User-driven with Hybrid Azure AD join. Devices can be deployed using Windows Autopilot and joined to an on-premises Active Directory domain, then registered with Azure Active Directory to enable the Hybrid Azure AD join features.
-
-If these scenarios cannot be completed, Windows Autopilot for white glove deployment will also not succeed since it builds on top of these scenarios.
-
-To enable white glove deployment, an additional Autopilot profile setting must be configured by the customer or IT Admin via their Intune account, prior to beginning the white glove process in the provisioning service facility:
-
- 
-
-The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed.
-
->[!NOTE]
->Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
-
-## Scenarios
-
-Windows Autopilot for white glove deployment supports two distinct scenarios:
-- User-driven deployments with Azure AD Join. The device will be joined to an Azure AD tenant.
-- User-driven deployments with Hybrid Azure AD Join. The device will be joined to an on-premises Active Directory domain, and separately registered with Azure AD.
-Each of these scenarios consists of two parts, a technician flow and a user flow. At a high level, these parts are the same for Azure AD Join and Hybrid Azure AD join; differences are primarily seen by the end user in the authentication steps.
-
-### Technican flow
-
-After the customer or IT Admin has targeted all the apps and settings they want for their devices through Intune, the white glove technician can begin the white glove process. The technician could be a member of the IT staff, a services partner, or an OEM – each organization can decide who should perform these activities. Regardless of the scenario, the process to be performed by the technician is the same:
-- Boot the device (running Windows 10 Pro, Enterprise, or Education SKUs, version 1903 or later).
-- From the first OOBE screen (which could be a language selection or locale selection screen), do not click **Next**. Instead, press the Windows key five times to view an additional options dialog. From that screen, choose the **Windows Autopilot provisioning** option and then click **Continue**.
-
- 
-
-- On the **Windows Autopilot Configuration** screen, information will be displayed about the device:
- - The Autopilot profile assigned to the device.
- - The organization name for the device.
- - The user assigned to the device (if there is one).
- - A QR code containing a unique identifier for the device, useful to look up the device in Intune to make any configuration changes needed (e.g. assigning a user, adding the device to any additional groups needed for app or policy targeting).
- - **Note**: The QR codes can be scanned using a companion app, which will also configure the device to specify who it belongs to. An [open-source sample of the companion app](https://github.com/Microsoft/WindowsAutopilotCompanion) that integrates with Intune via the Graph API has been published to GitHub by the Autopilot team.
-- Validate the information displayed. If any changes are needed, make these and then click **Refresh** to re-download the updated Autopilot profile details.
-
- 
-
-- Click **Provision** to begin the provisioning process.
-
-If the pre-provisioning process completes successfully:
-- A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
- 
-- Click **Reseal** to shut the device down. At that point, the device can be shipped to the end user.
-
-If the pre-provisioning process fails:
-- A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
-- Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again.
-
-### User flow
-
-If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process. They will perform a standard set of steps:
-
-- Power on the device.
-- Select the appropriate language, locale, and keyboard layout.
-- Connect to a network (if using Wi-Fi). If using Hybrid Azure AD Join, there must be connectivity to a domain controller; if using Azure AD Join, internet connectivity is required.
-- On the branded sign-on screen, enter the user’s Azure Active Directory credentials.
-- If using Hybrid Azure AD Join, the device will reboot; after the reboot, enter the user’s Active Directory credentials.
-- Additional policies and apps will be delivered to the device, as tracked by the Enrollment Status Page (ESP). Once complete, the user will be able to access the desktop.
-
-## Related topics
-
-[White glove video](https://youtu.be/nE5XSOBV0rI)
+---
+title: Windows Autopilot for white glove deployment
+description: Windows Autopilot for white glove deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, pre-provisioning
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Windows Autopilot for white glove deployment
+
+**Applies to: Windows 10, version 1903**
+
+Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready.
+
+ 
+
+Windows Autopilot can also provide a white glove service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
+
+With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few necessary settings and polices and then they can begin using their device.
+
+ 
+
+Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven [Azure AD join](user-driven-aad.md) and [Hybrid Azure AD](user-driven-hybrid.md) join scenarios.
+
+## Prerequisites
+
+In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following:
+
+- Windows 10, version 1903 or later is required.
+- An Intune subscription.
+- Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements.
+- Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
+
+>[!IMPORTANT]
+>Because the OEM or vendor performs the white glove process, this doesn’t require access to an end-user's on-prem domain infrastructure. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-prem by the end-user.
+
+## Preparation
+
+Devices slated for white glove provisioning are registered for Autopilot via the normal registration process.
+
+To be ready to try out Windows Autopilot for white glove deployment, ensure that you can first successfully use existing Windows Autopilot user-driven scenarios:
+
+- User-driven Azure AD join. Devices can be deployed using Windows Autopilot and joined to an Azure Active Directory tenant.
+- User-driven with Hybrid Azure AD join. Devices can be deployed using Windows Autopilot and joined to an on-premises Active Directory domain, then registered with Azure Active Directory to enable the Hybrid Azure AD join features.
+
+If these scenarios cannot be completed, Windows Autopilot for white glove deployment will also not succeed since it builds on top of these scenarios.
+
+To enable white glove deployment, an additional Autopilot profile setting must be configured by the customer or IT Admin via their Intune account, prior to beginning the white glove process in the provisioning service facility:
+
+ 
+
+The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed.
+
+>[!NOTE]
+>Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
+
+## Scenarios
+
+Windows Autopilot for white glove deployment supports two distinct scenarios:
+- User-driven deployments with Azure AD Join. The device will be joined to an Azure AD tenant.
+- User-driven deployments with Hybrid Azure AD Join. The device will be joined to an on-premises Active Directory domain, and separately registered with Azure AD.
+Each of these scenarios consists of two parts, a technician flow and a user flow. At a high level, these parts are the same for Azure AD Join and Hybrid Azure AD join; differences are primarily seen by the end user in the authentication steps.
+
+### Technican flow
+
+After the customer or IT Admin has targeted all the apps and settings they want for their devices through Intune, the white glove technician can begin the white glove process. The technician could be a member of the IT staff, a services partner, or an OEM – each organization can decide who should perform these activities. Regardless of the scenario, the process to be performed by the technician is the same:
+- Boot the device (running Windows 10 Pro, Enterprise, or Education SKUs, version 1903 or later).
+- From the first OOBE screen (which could be a language selection or locale selection screen), do not click **Next**. Instead, press the Windows key five times to view an additional options dialog. From that screen, choose the **Windows Autopilot provisioning** option and then click **Continue**.
+
+ 
+
+- On the **Windows Autopilot Configuration** screen, information will be displayed about the device:
+ - The Autopilot profile assigned to the device.
+ - The organization name for the device.
+ - The user assigned to the device (if there is one).
+ - A QR code containing a unique identifier for the device, useful to look up the device in Intune to make any configuration changes needed (e.g. assigning a user, adding the device to any additional groups needed for app or policy targeting).
+ - **Note**: The QR codes can be scanned using a companion app, which will also configure the device to specify who it belongs to. An [open-source sample of the companion app](https://github.com/Microsoft/WindowsAutopilotCompanion) that integrates with Intune via the Graph API has been published to GitHub by the Autopilot team.
+- Validate the information displayed. If any changes are needed, make these and then click **Refresh** to re-download the updated Autopilot profile details.
+
+ 
+
+- Click **Provision** to begin the provisioning process.
+
+If the pre-provisioning process completes successfully:
+- A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
+ 
+- Click **Reseal** to shut the device down. At that point, the device can be shipped to the end user.
+
+If the pre-provisioning process fails:
+- A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
+- Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again.
+
+### User flow
+
+If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process. They will perform a standard set of steps:
+
+- Power on the device.
+- Select the appropriate language, locale, and keyboard layout.
+- Connect to a network (if using Wi-Fi). If using Hybrid Azure AD Join, there must be connectivity to a domain controller; if using Azure AD Join, internet connectivity is required.
+- On the branded sign-on screen, enter the user’s Azure Active Directory credentials.
+- If using Hybrid Azure AD Join, the device will reboot; after the reboot, enter the user’s Active Directory credentials.
+- Additional policies and apps will be delivered to the device, as tracked by the Enrollment Status Page (ESP). Once complete, the user will be able to access the desktop.
+
+## Related topics
+
+[White glove video](https://youtu.be/nE5XSOBV0rI)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index c216835569..4fcd4811c2 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -1,121 +1,122 @@
----
-title: Windows Autopilot requirements
-ms.reviewer:
-manager: laurawi
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot requirements
-
-**Applies to: Windows 10**
-
-Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met.
-
-**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot).
-
-## Software requirements
-
-- Windows 10 version 1703 (semi-annual channel) or higher is required.
-- The following editions are supported:
- - Windows 10 Pro
- - Windows 10 Pro Education
- - Windows 10 Pro for Workstations
- - Windows 10 Enterprise
- - Windows 10 Education
- - Windows 10 Enterprise 2019 LTSC
-
-## Networking requirements
-
-Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
-
-- Ensure DNS name resolution for internet DNS names
-- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
-
-In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details:
-
-
Service
Information
-
Windows Autopilot Deployment Service and Windows Activation
After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
-
-For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about problems that might occur when you connect to the Internet through a proxy server.
-
Azure Active Directory
User credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information.
-
Intune
Once authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth.
-
Windows Update
During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
-
-If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available.
-
-
Delivery Optimization
When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
-
-If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
-
-
Network Time Protocol (NTP) Sync
When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible.
-
Domain Name Services (DNS)
To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP. This DNS server must be able to resolve internet names.
-
Diagnostics data
Starting in Windows 10, 1903, diagnostic data collection will be enabled by default. To disable Windows Analytics and related diagnostics capabilities, see Manage enterprise diagnostic data level.
-
-If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work.
-
This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
-
-If the WNS services are not available, the Autopilot process will still continue without notifications.
-
Microsoft Store, Microsoft Store for Business
Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM). App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
-
-If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps.
-
-
Office 365
As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
-
Hybrid AAD can be join, the machine should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode
-
-
-## Licensing requirements
-
-Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
-
-To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
- - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
- - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
- - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
- - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
- - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
- - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
- - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service).
-
-Additionally, the following are also recommended (but not required):
-- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
-- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise.
-
-## Configuration requirements
-
-Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.
-
-- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
-- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
-- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
-
-Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
-
-- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
-- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
-
-See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
-
-For a walkthrough for some of these and related steps, see this video:
-
-
-
-There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
-
-## Related topics
-
-[Configure Autopilot deployment](configure-autopilot.md)
+---
+title: Windows Autopilot requirements
+ms.reviewer:
+manager: laurawi
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot requirements
+
+**Applies to: Windows 10**
+
+Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met.
+
+**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot).
+
+## Software requirements
+
+- Windows 10 version 1703 (semi-annual channel) or higher is required.
+- The following editions are supported:
+ - Windows 10 Pro
+ - Windows 10 Pro Education
+ - Windows 10 Pro for Workstations
+ - Windows 10 Enterprise
+ - Windows 10 Education
+ - Windows 10 Enterprise 2019 LTSC
+
+## Networking requirements
+
+Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
+
+- Ensure DNS name resolution for internet DNS names
+- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
+
+In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details:
+
+
Service
Information
+
Windows Autopilot Deployment Service and Windows Activation
After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
+
+For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about problems that might occur when you connect to the Internet through a proxy server.
+
Azure Active Directory
User credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information.
+
Intune
Once authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth.
+
Windows Update
During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
+
+If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available.
+
+
Delivery Optimization
When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
+
+If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
+
+
Network Time Protocol (NTP) Sync
When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible.
+
Domain Name Services (DNS)
To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP. This DNS server must be able to resolve internet names.
+
Diagnostics data
Starting in Windows 10, 1903, diagnostic data collection will be enabled by default. To disable Windows Analytics and related diagnostics capabilities, see Manage enterprise diagnostic data level.
+
+If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work.
+
This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
+
+If the WNS services are not available, the Autopilot process will still continue without notifications.
+
Microsoft Store, Microsoft Store for Business
Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM). App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
+
+If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps.
+
+
Office 365
As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
+
The device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode
+
+
+## Licensing requirements
+
+Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
+
+To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
+- [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
+- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
+- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
+- [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
+- [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
+- [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
+- [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service).
+
+Additionally, the following are also recommended (but not required):
+- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
+- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise.
+
+## Configuration requirements
+
+Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.
+
+- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
+- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
+- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
+
+Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
+
+- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
+- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
+
+See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
+
+For a walkthrough for some of these and related steps, see this video:
+
+
+
+There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
+
+## Related topics
+
+[Configure Autopilot deployment](configure-autopilot.md)
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index f94b65ffef..742ae20f20 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -1,350 +1,352 @@
----
-title: Windows 10 deployment tools (Windows 10)
-description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process.
-ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 deployment scenarios and tools
-
-
-To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
-
-Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
-
-In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
-
-## Windows Assessment and Deployment Kit
-
-
-Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803 ) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
-
-
-
-Figure 1. The Windows 10 ADK feature selection page.
-
-### Deployment Image Servicing and Management (DISM)
-
-DISM is one of the deployment tools included in the Windows ADK and is used for capturing, servicing, and deploying boot images and operating system images.
-
-DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source:
-
-``` syntax
-Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
-```
-
-In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
-
-``` syntax
-Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
--Source D:\Sources\SxS -LimitAccess
-```
-
-
-
-Figure 2. Using DISM functions in PowerShell.
-
-For more information on DISM, see [DISM technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619161).
-
-### User State Migration Tool (USMT)
-
-USMT is a backup and restore tool that allows you to migrate user state, data, and settings from one installation to another. Microsoft Deployment Toolkit (MDT) and System Center 2012 R2 Configuration Manager use USMT as part of the operating system deployment process.
-
-**Note**
-Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you will learn below, using USMT is not difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it is easy to use. With MDT, you do nothing at all and USMT just works.
-
-
-
-USMT includes several command-line tools, the most important of which are ScanState and LoadState:
-
-- **ScanState.exe.** This performs the user-state backup.
-
-- **LoadState.exe.** This performs the user-state restore.
-
-- **UsmtUtils.exe.** This supplements the functionality in ScanState.exe and LoadState.exe.
-
-In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
-
-- **Migration templates.** The default templates in USMT.
-
-- **Custom templates.** Custom templates that you create.
-
-- **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates.
-
-
-
-Figure 3. A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
-
-USMT supports capturing data and settings from Windows Vista and later, and restoring the data and settings to Windows 7 and later (including Windows 10 in both cases). It also supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around. For example, you can use USMT to migrate from Windows 7 x86 to Windows 10 x64.
-
-By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
-
-- Folders from each profile, including those from user profiles as well as shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
-
-- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.
-
- **Note**
- The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default.
-
-
-
-- Operating system component settings
-
-- Application settings
-
-These are the settings migrated by the default MigUser.xml and MigApp.xml templates. For more details on what USMT migrates, see [What does USMT migrate?](https://go.microsoft.com/fwlink/p/?LinkId=619227) For more information on the USMT overall, see the [USMT technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619228).
-
-### Windows Imaging and Configuration Designer
-
-Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image.
-
-
-
-Figure 4. Windows Imaging and Configuration Designer.
-
-For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkID=525483).
-
-### Windows System Image Manager (Windows SIM)
-
-Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
-
-
-
-Figure 5. Windows answer file opened in Windows SIM.
-
-For more information, see [Windows System Image Manager Technical Reference]( https://go.microsoft.com/fwlink/p/?LinkId=619906).
-
-### Volume Activation Management Tool (VAMT)
-
-If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy.
-
-
-
-Figure 6. The updated Volume Activation Management Tool.
-
-VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type:
-
-``` syntax
-Get-VamtProduct
-```
-
-For more information on the VAMT, see [VAMT technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619230).
-
-### Windows Preinstallation Environment (Windows PE)
-
-Windows PE is a “Lite” version of Windows 10 and was created to act as a deployment platform. Windows PE replaces the DOS or Linux boot disks that ruled the deployment solutions of the last decade.
-
-The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box.
-
-
-
-Figure 7. A machine booted with the Windows ADK default Windows PE boot image.
-
-For more details on Windows PE, see [Windows PE (WinPE)](https://go.microsoft.com/fwlink/p/?LinkId=619233).
-
-## Windows Recovery Environment
-
-
-Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE.
-
-
-
-Figure 8. A Windows 10 client booted into Windows RE, showing Advanced options.
-
-For more information on Windows RE, see [Windows Recovery Environment](https://go.microsoft.com/fwlink/p/?LinkId=619236).
-
-## Windows Deployment Services
-
-
-Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
-
-
-
-Figure 9. Windows Deployment Services using multicast to deploy three machines.
-
-In Windows Server 2012 R2, [Windows Deployment Services](https://go.microsoft.com/fwlink/p/?LinkId=619245) can be configured for stand-alone mode or for Active Directory integration. In most scenarios, the Active Directory integration mode is the best option. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you will use them instead. In WDS, it is possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management.
-
-### Trivial File Transfer Protocol (TFTP) configuration
-
-In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—was not user friendly. In Windows Server 2012, this has become much easier to do as it can be configured as a setting.
-
-Also, there are a few new features related to TFTP performance:
-
-- **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
-
-- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
-
-- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
-
-
-
-Figure 10. TFTP changes are now easy to perform.
-
-## Microsoft Deployment Toolkit
-
-
-MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
-
-MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager.
-
-**Note**
-Lite Touch and Zero Touch are marketing names for the two solutions that MDT supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
-
-
-
-
-
-Figure 11. The Deployment Workbench in, showing a task sequence.
-
-For more information on MDT, see the [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618117) resource center.
-
-## Microsoft Security Compliance Manager 2013
-
-
-[Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
-
-
-
-Figure 12. The SCM console showing a baseline configuration for a fictional client's computer security compliance.
-
-## Microsoft Desktop Optimization Pack
-
-
-MDOP is a suite of technologies available to Software Assurance customers through an additional subscription.
-
-The following components are included in the MDOP suite:
-
-- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
-
-- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
-
-- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
-
-- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
-
-- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, as well as monitor compliance with these policies.
-
-For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](https://go.microsoft.com/fwlink/p/?LinkId=619247).
-
-## Internet Explorer Administration Kit 11
-
-
-There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
-
-
-
-Figure 13. The User Experience selection screen in IEAK 11.
-
-To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=619248) page.
-
-## Windows Server Update Services
-
-
-WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
-
-
-
-Figure 14. The Windows Server Update Services console.
-
-For more information on WSUS, see the [Windows Server Update Services Overview](https://go.microsoft.com/fwlink/p/?LinkId=619249).
-
-## Unified Extensible Firmware Interface
-
-
-For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. **UEFI** is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
-
-### Introduction to UEFI
-
-BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
-
-- 16-bit code
-
-- 1 MB address space
-
-- Poor performance on ROM initialization
-
-- MBR maximum bootable disk size of 2.2 TB
-
-As the replacement to BIOS, UEFI has many features that Windows can and will use.
-
-With UEFI, you can benefit from:
-
-- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
-
-- **Faster boot time.** UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
-
-- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
-
-- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
-
-- **CPU-independent architecture.** Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
-
-- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
-
-- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
-
-- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.
-
-### Versions
-
-UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
-
-### Hardware support for UEFI
-
-In regard to UEFI, hardware is divided into four device classes:
-
-- **Class 0 devices.** This is the UEFI definition for a BIOS, or non-UEFI, device.
-
-- **Class 1 devices.** These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
-
-- **Class 2 devices.** These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
-
-- **Class 3 devices.** These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.
-
-### Windows support for UEFI
-
-Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.
-
-With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.
-
-### How UEFI is changing operating system deployment
-
-There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:
-
-- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
-
-- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
-
-- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
-
-- UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).
-
-For more information on UEFI, see the [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619251) overview and related resources.
-
-## Related topics
-
-
-
-
-[Deploy Windows To Go](deploy-windows-to-go.md)
-
-[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-
-[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
-
-
-
-
-
-
-
-
-
+---
+title: Windows 10 deployment tools (Windows 10)
+description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process.
+ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 deployment scenarios and tools
+
+
+To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
+
+Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
+
+In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
+
+## Windows Assessment and Deployment Kit
+
+
+Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803 ) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
+
+
+
+Figure 1. The Windows 10 ADK feature selection page.
+
+### Deployment Image Servicing and Management (DISM)
+
+DISM is one of the deployment tools included in the Windows ADK and is used for capturing, servicing, and deploying boot images and operating system images.
+
+DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source:
+
+``` syntax
+Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
+```
+
+In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
+
+``` syntax
+Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
+-Source D:\Sources\SxS -LimitAccess
+```
+
+
+
+Figure 2. Using DISM functions in PowerShell.
+
+For more information on DISM, see [DISM technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619161).
+
+### User State Migration Tool (USMT)
+
+USMT is a backup and restore tool that allows you to migrate user state, data, and settings from one installation to another. Microsoft Deployment Toolkit (MDT) and System Center 2012 R2 Configuration Manager use USMT as part of the operating system deployment process.
+
+**Note**
+Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you will learn below, using USMT is not difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it is easy to use. With MDT, you do nothing at all and USMT just works.
+
+
+
+USMT includes several command-line tools, the most important of which are ScanState and LoadState:
+
+- **ScanState.exe.** This performs the user-state backup.
+
+- **LoadState.exe.** This performs the user-state restore.
+
+- **UsmtUtils.exe.** This supplements the functionality in ScanState.exe and LoadState.exe.
+
+In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
+
+- **Migration templates.** The default templates in USMT.
+
+- **Custom templates.** Custom templates that you create.
+
+- **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates.
+
+
+
+Figure 3. A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
+
+USMT supports capturing data and settings from Windows Vista and later, and restoring the data and settings to Windows 7 and later (including Windows 10 in both cases). It also supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around. For example, you can use USMT to migrate from Windows 7 x86 to Windows 10 x64.
+
+By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
+
+- Folders from each profile, including those from user profiles as well as shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
+
+- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.
+
+ **Note**
+ The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default.
+
+
+
+- Operating system component settings
+
+- Application settings
+
+These are the settings migrated by the default MigUser.xml and MigApp.xml templates. For more details on what USMT migrates, see [What does USMT migrate?](https://go.microsoft.com/fwlink/p/?LinkId=619227) For more information on the USMT overall, see the [USMT technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619228).
+
+### Windows Imaging and Configuration Designer
+
+Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image.
+
+
+
+Figure 4. Windows Imaging and Configuration Designer.
+
+For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkID=525483).
+
+### Windows System Image Manager (Windows SIM)
+
+Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
+
+
+
+Figure 5. Windows answer file opened in Windows SIM.
+
+For more information, see [Windows System Image Manager Technical Reference]( https://go.microsoft.com/fwlink/p/?LinkId=619906).
+
+### Volume Activation Management Tool (VAMT)
+
+If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy.
+
+
+
+Figure 6. The updated Volume Activation Management Tool.
+
+VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type:
+
+``` syntax
+Get-VamtProduct
+```
+
+For more information on the VAMT, see [VAMT technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619230).
+
+### Windows Preinstallation Environment (Windows PE)
+
+Windows PE is a “Lite” version of Windows 10 and was created to act as a deployment platform. Windows PE replaces the DOS or Linux boot disks that ruled the deployment solutions of the last decade.
+
+The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box.
+
+
+
+Figure 7. A machine booted with the Windows ADK default Windows PE boot image.
+
+For more details on Windows PE, see [Windows PE (WinPE)](https://go.microsoft.com/fwlink/p/?LinkId=619233).
+
+## Windows Recovery Environment
+
+
+Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE.
+
+
+
+Figure 8. A Windows 10 client booted into Windows RE, showing Advanced options.
+
+For more information on Windows RE, see [Windows Recovery Environment](https://go.microsoft.com/fwlink/p/?LinkId=619236).
+
+## Windows Deployment Services
+
+
+Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
+
+
+
+Figure 9. Windows Deployment Services using multicast to deploy three machines.
+
+In Windows Server 2012 R2, [Windows Deployment Services](https://go.microsoft.com/fwlink/p/?LinkId=619245) can be configured for stand-alone mode or for Active Directory integration. In most scenarios, the Active Directory integration mode is the best option. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you will use them instead. In WDS, it is possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management.
+
+### Trivial File Transfer Protocol (TFTP) configuration
+
+In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—was not user friendly. In Windows Server 2012, this has become much easier to do as it can be configured as a setting.
+
+Also, there are a few new features related to TFTP performance:
+
+- **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
+
+- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
+
+- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
+
+
+
+Figure 10. TFTP changes are now easy to perform.
+
+## Microsoft Deployment Toolkit
+
+
+MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
+
+MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager.
+
+**Note**
+Lite Touch and Zero Touch are marketing names for the two solutions that MDT supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
+
+
+
+
+
+Figure 11. The Deployment Workbench in, showing a task sequence.
+
+For more information on MDT, see the [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618117) resource center.
+
+## Microsoft Security Compliance Manager 2013
+
+
+[Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
+
+
+
+Figure 12. The SCM console showing a baseline configuration for a fictional client's computer security compliance.
+
+## Microsoft Desktop Optimization Pack
+
+
+MDOP is a suite of technologies available to Software Assurance customers through an additional subscription.
+
+The following components are included in the MDOP suite:
+
+- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
+
+- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
+
+- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
+
+- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
+
+- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, as well as monitor compliance with these policies.
+
+For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](https://go.microsoft.com/fwlink/p/?LinkId=619247).
+
+## Internet Explorer Administration Kit 11
+
+
+There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
+
+
+
+Figure 13. The User Experience selection screen in IEAK 11.
+
+To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=619248) page.
+
+## Windows Server Update Services
+
+
+WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
+
+
+
+Figure 14. The Windows Server Update Services console.
+
+For more information on WSUS, see the [Windows Server Update Services Overview](https://go.microsoft.com/fwlink/p/?LinkId=619249).
+
+## Unified Extensible Firmware Interface
+
+
+For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. **UEFI** is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
+
+### Introduction to UEFI
+
+BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
+
+- 16-bit code
+
+- 1 MB address space
+
+- Poor performance on ROM initialization
+
+- MBR maximum bootable disk size of 2.2 TB
+
+As the replacement to BIOS, UEFI has many features that Windows can and will use.
+
+With UEFI, you can benefit from:
+
+- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
+
+- **Faster boot time.** UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
+
+- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
+
+- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
+
+- **CPU-independent architecture.** Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
+
+- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
+
+- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
+
+- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.
+
+### Versions
+
+UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
+
+### Hardware support for UEFI
+
+In regard to UEFI, hardware is divided into four device classes:
+
+- **Class 0 devices.** This is the UEFI definition for a BIOS, or non-UEFI, device.
+
+- **Class 1 devices.** These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
+
+- **Class 2 devices.** These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
+
+- **Class 3 devices.** These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.
+
+### Windows support for UEFI
+
+Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.
+
+With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.
+
+### How UEFI is changing operating system deployment
+
+There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:
+
+- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
+
+- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
+
+- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
+
+- UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).
+
+For more information on UEFI, see the [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619251) overview and related resources.
+
+## Related topics
+
+
+
+
+[Deploy Windows To Go](deploy-windows-to-go.md)
+
+[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
+
+[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/docfx.json b/windows/docfx.json
index 0e7c823b17..21cba6820f 100644
--- a/windows/docfx.json
+++ b/windows/docfx.json
@@ -15,6 +15,7 @@
],
"globalMetadata": {
"ROBOTS": "INDEX, FOLLOW",
+ "audience": "ITPro",
"breadcrumb_path": "/itpro/windows/breadcrumb/toc.json",
"_op_documentIdPathDepotMapping": {
"./": {
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 78a9eb10fb..b850fee41f 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -34,6 +34,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "audience": "ITPro",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index acef50c475..aed5ac00b0 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -36,12 +36,12 @@ At Microsoft, we use Windows diagnostic data to inform our decisions and focus o
To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
-- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
-- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
-- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
-- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
-- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
-- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
+- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
+- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
+- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
+- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
+- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
+- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
@@ -56,16 +56,16 @@ The release cadence of Windows may be fast, so feedback is critical to its succe
### What is Windows diagnostic data?
Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
-- Keep Windows up to date
-- Keep Windows secure, reliable, and performant
-- Improve Windows – through the aggregate analysis of the use of Windows
-- Personalize Windows engagement surfaces
+- Keep Windows up to date
+- Keep Windows secure, reliable, and performant
+- Improve Windows – through the aggregate analysis of the use of Windows
+- Personalize Windows engagement surfaces
Here are some specific examples of Windows diagnostic data:
-- Type of hardware being used
-- Applications installed and usage details
-- Reliability information on device drivers
+- Type of hardware being used
+- Applications installed and usage details
+- Reliability information on device drivers
### What is NOT diagnostic data?
@@ -96,9 +96,9 @@ There was a version of a video driver that was crashing on some devices running
Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
-- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
-- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
-- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
+- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
+- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
+- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 8577fea884..6f5daf90d1 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -44,8 +44,8 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
### Download the Diagnostic Data Viewer
Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
- >[!Important]
- >It's possible that your Windows machine may not have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264).
+ >[!Important]
+ >It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830).
### Start the Diagnostic Data Viewer
You can start this app from the **Settings** panel.
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index 5a6da07e0b..55e655b1dc 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -34,6 +34,7 @@
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
+ "audience": "ITPro",
"ms.topic": "article",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md
index 088f0adccd..524f34b78a 100644
--- a/windows/privacy/gdpr-it-guidance.md
+++ b/windows/privacy/gdpr-it-guidance.md
@@ -159,7 +159,7 @@ The following table lists in what GDPR mode – controller or processor – Wind
*/*Depending on which application/feature this is referring to.*
-## Windows diagnostic data and Windows 10
+## Windows diagnostic data and Windows 10
### Recommended Windows 10 settings
diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md
index 4797029729..3ad1a4a14e 100644
--- a/windows/privacy/gdpr-win10-whitepaper.md
+++ b/windows/privacy/gdpr-win10-whitepaper.md
@@ -105,11 +105,11 @@ A key provision within the GDPR is data protection by design and by default, and
The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
-- Generate, store, and limit the use of cryptographic keys.
+- Generate, store, and limit the use of cryptographic keys.
-- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
+- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
-- Help to ensure platform integrity by taking and storing security measurements.
+- Help to ensure platform integrity by taking and storing security measurements.
Additional advanced device protection relevant to your operating without data breaches include Windows Trusted Boot to help maintain the integrity of the system by ensuring malware is unable to start before system defenses.
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index a7aec9de77..f4e4106726 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1049,11 +1049,11 @@ To turn off dictation of your voice, speaking to Cortana and other apps, and to
If you're running at Windows 10, version 1703 up to and including Windows 10, version 1803, you can turn off updates to the speech recognition and speech synthesis models:
- - **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data**
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data**
-or-
- - Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)**
+- Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)**
@@ -1415,11 +1415,11 @@ In the **Inking & Typing** area you can configure the functionality as such:
To turn off Inking & Typing data collection (note: there is no Group Policy for this setting):
- - In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Inking and typing** and turn **Improve inking & typing** to **Off**
+- In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Inking and typing** and turn **Improve inking & typing** to **Off**
-or-
- - Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** to a **value of 1 (one)**
+- Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** to a **value of 1 (one)**
### 18.22 Activity History
@@ -1484,29 +1484,29 @@ To turn this Off in the UI:
Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
- **For Windows 10:**
+**For Windows 10:**
- - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or-
- - Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a **value of 1 (one)**.
+- Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a **value of 1 (one)**.
**For Windows Server 2019 or later:**
- - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or-
- - Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
**For Windows Server 2016:**
- - Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
- >[!NOTE]
- >Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead.
- >The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
+>[!NOTE]
+>Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead.
+>The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
### 20. Storage health
@@ -1730,7 +1730,7 @@ If you're running Windows 10, version 1607 or later, you need to:
> The Group Policy for the **LockScreenOverlaysDisabled** regkey is **Force a specific default lock screen and logon image** that is under **Control Panel** **Personalization**.
--AND-
+ \-AND-
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips** to **Enabled**
@@ -1740,7 +1740,7 @@ If you're running Windows 10, version 1607 or later, you need to:
- Create a new REG_DWORD registry setting named **DisableSoftLanding** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)**
--AND-
+ \-AND-
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences** to **Enabled**
diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md
index 4f007d6da6..ae5da4bba4 100644
--- a/windows/privacy/manage-windows-1709-endpoints.md
+++ b/windows/privacy/manage-windows-1709-endpoints.md
@@ -23,11 +23,11 @@ ms.reviewer:
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
-- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
-- Connecting to email servers to send and receive email.
-- Connecting to the web for every day web browsing.
-- Connecting to the cloud to store and access backups.
-- Using your location to show a weather forecast.
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md
index c8c4bffe0c..2ad044d990 100644
--- a/windows/privacy/manage-windows-1803-endpoints.md
+++ b/windows/privacy/manage-windows-1803-endpoints.md
@@ -23,11 +23,11 @@ ms.reviewer:
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
-- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
-- Connecting to email servers to send and receive email.
-- Connecting to the web for every day web browsing.
-- Connecting to the cloud to store and access backups.
-- Using your location to show a weather forecast.
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index 2f2f90b82d..f574f6409d 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -23,11 +23,11 @@ ms.reviewer:
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
-- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
-- Connecting to email servers to send and receive email.
-- Connecting to the web for every day web browsing.
-- Connecting to the cloud to store and access backups.
-- Using your location to show a weather forecast.
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 5400e152f2..01c084966d 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -22,11 +22,11 @@ ms.date: 5/3/2019
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
-- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
-- Connecting to email servers to send and receive email.
-- Connecting to the web for every day web browsing.
-- Connecting to the cloud to store and access backups.
-- Using your location to show a weather forecast.
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
diff --git a/windows/release-information/TOC.md b/windows/release-information/TOC.md
index c905dea447..41ca5d90c0 100644
--- a/windows/release-information/TOC.md
+++ b/windows/release-information/TOC.md
@@ -24,7 +24,7 @@
# Previous versions
## Windows 8.1 and Windows Server 2012 R2
### [Known issues and notifications](status-windows-8.1-and-windows-server-2012-r2.yml)
-###[Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml)
+### [Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml)
## Windows Server 2012
### [Known issues and notifications](status-windows-server-2012.yml)
### [Resolved issues](resolved-issues-windows-server-2012.yml)
@@ -33,4 +33,4 @@
### [Resolved issues](resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml)
## Windows Server 2008 SP2
### [Known issues and notifications](status-windows-server-2008-sp2.yml)
-### [Resolved issues](resolved-issues-windows-server-2008-sp2.yml)
\ No newline at end of file
+### [Resolved issues](resolved-issues-windows-server-2008-sp2.yml)
diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json
index 5bab1ca43c..4dcacaf204 100644
--- a/windows/release-information/docfx.json
+++ b/windows/release-information/docfx.json
@@ -38,6 +38,7 @@
"breadcrumb_path": "/windows/release-information/breadcrumb/toc.json",
"ms.prod": "w10",
"ms.date": "4/30/2019",
+ "audience": "ITPro",
"titleSuffix": "Windows Release Information",
"extendBreadcrumb": true,
"feedback_system": "None"
diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml
index 048946f759..efd586d8b9 100644
--- a/windows/release-information/resolved-issues-windows-10-1507.yml
+++ b/windows/release-information/resolved-issues-windows-10-1507.yml
@@ -32,16 +32,16 @@ sections:
- type: markdown
text: "
Summary
Originating update
Status
Date resolved
+
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Error 1309 when installing/uninstalling MSI or MSP files Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
First character of Japanese era name not recognized The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
Applications using Microsoft Jet database fail to open Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512497, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517276. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4517276 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Unable to access hotspots with third-party applications
After installing KB4480962, third-party applications may have difficulty authenticating hotspots.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
After installing KB4480962, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, \"Unrecognized Database Format\".
Affected platforms:
Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Internet Explorer 11 and apps using the WebBrowser control may fail to render JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
SCVMM cannot enumerate and manage logical switches deployed on the host For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.
Some applications may fail to run as expected on clients of AD FS 2016 Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000 Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
Applications using Microsoft Jet database fail to open Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Issue hosting multiple terminal server sessions and a user logs off on Windows Server In some cases, Windows Server will stop working and restart when hosting multiple terminal server sessions and a user logs off.
Instant search in Microsoft Outlook fails on Windows Server 2016 Instant search in Microsoft Outlook clients fail with the error, \"Outlook cannot perform the search\" on Windows Server 2016.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512517, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512495. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512495 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512517. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Internet Explorer 11 and apps using the WebBrowser control may fail to render
Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.
Affected platforms:
Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480961, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Cache size and location show zero or empty.
Keyboard shortcuts may not work properly.
Webpages may intermittently fail to load or render correctly.
Issues with credential prompts.
Issues when downloading files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
After installing KB4480961, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480977, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.
Affected platforms:
Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host after installing KB4467684.
Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.
Affected platforms:
Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
Instant search in Microsoft Outlook fails on Windows Server 2016
After installing KB4467684 on Windows Server 2016, instant search in Microsoft Outlook clients fail with the error, \"Outlook cannot perform the search\".
Affected platforms:
Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000 Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
Applications using Microsoft Jet database fail to open Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512507, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512474. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512474 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512507. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
After installing KB4480973, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480959, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.
Affected platforms:
Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
Error 1309 when installing/uninstalling MSI or MSP files Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Applications using Microsoft Jet database fail to open Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Stop error when attempting to start SSH from WSL A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512516, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512494. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512494 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512516. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
MSXML6 causes applications to stop responding if an exception was thrown
After installing KB4480978, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480967, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format.”
Affected platforms:
Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
First character of the Japanese era name not recognized The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Stop error when attempting to start SSH from WSL A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512501. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
After installing KB4480966, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
First character of the Japanese era name not recognized
After installing KB4480976, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices with Realtek Bluetooth radios drivers may not pair or connect as expected Devices with some Realtek Bluetooth radios drivers, in some circumstances, may have issues pairing or connecting to devices.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
First character of the Japanese era name not recognized The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 9 file format may randomly stop working.
Issues with lock screen and Microsoft Edge tabs for certain AMD Radeon video cards Upgrade block: Devices utilizing AMD Radeon HD2000 or HD4000 series video cards may experience issues with the lock screen and Microsoft Edge tabs.
Shared albums may not sync with iCloud for Windows Upgrade block: Apple has identified an incompatibility with iCloud for Windows (version 7.7.0.27) where users may experience issues updating or synching Shared Albums.
Intel Audio Display (intcdaud.sys) notification during Windows 10 Setup Upgrade block: Users may see an Intel Audio Display (intcdaud.sys) notification during setup for devices with certain Intel Display Audio Drivers.
F5 VPN clients losing network connectivity Upgrade block: After updating to Windows 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.
Global DNS outage affects Windows Update customers Windows Update customers were recently affected by a network infrastructure event caused by an external DNS service provider's global outage.
Apps may stop working after selecting an audio output device other than the default Users with multiple audio devices that select an audio output device different from the \"Default Audio Device\" may find certain applications stop working unexpectedly.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4511553, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512534. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512534 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4511553. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480116, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Cache size and location show zero or empty.
Keyboard shortcuts may not work properly.
Webpages may intermittently fail to load or render correctly.
Issues with credential prompts.
Issues when downloading files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
After installing KB4480116, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Global DNS outage affects Windows Update customers
Windows Update customers were affected by a network infrastructure event on January 29, 2019 (21:00 UTC), caused by an external DNS service provider's global outage. A software update to the external provider's DNS servers resulted in the distribution of corrupted DNS records that affected connectivity to the Windows Update service. The DNS records were restored by January 30, 2019 (00:10 UTC), and the majority of local Internet Service Providers (ISP) have refreshed their DNS servers and customer services have been restored.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
While this was not an issue with Microsoft's services, we take any service disruption for our customers seriously. We will work with partners to better understand this so we can provide higher quality service in the future even across diverse global network providers.
If you are still unable to connect to Windows Update services due to this problem, please contact your local ISP or network administrator. You can also refer to our new KB4493784 for more information to determine if your network is affected, and to provide your local ISP or network administrator with additional information to assist you.
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows.
As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers.
Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update. For more information, see the Intel Customer Support article.
Resolution: Microsoft has removed the safeguard hold.
Issues with lock screen and Microsoft Edge tabs for certain AMD Radeon video cards
Note: AMD no longer supports Radeon HD2000 and HD4000 series graphic processor units (GPUs).
Upgrade block: After updating to Windows 10, version 1809, Microsoft Edge tabs may stop working when a device is configured with AMD Radeon HD2000 or HD4000 series video cards. Customers may get the following error code: \"INVALID_POINTER_READ_c0000005_atidxx64.dll\".
Some users may also experience performance issues with the lock screen or the ShellExperienceHost. (The lock screen hosts widgets, and the ShellExperienceHost is responsible for assorted shell functionality.)
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4487044, and the block was removed.
Shared albums may not sync with iCloud for Windows
Upgrade block: Users who attempt to install iCloud for Windows (version 7.7.0.27) will see a message displayed that this version iCloud for Windows isn't supported and the install will fail.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
To ensure a seamless experience, Microsoft is blocking devices with iCloud for Windows (version 7.7.0.27) software installed from being offered Windows 10, version 1809 until this issue has been resolved.
We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool from the Microsoft software download website until this issue is resolved.
Resolution: Apple has released an updated version of iCloud for Windows (version 7.8.1) that resolves compatibility issues encountered when updating or synching Shared Albums after updating to Windows 10, version 1809. We recommend that you update your iCloud for Windows to version 7.8.1 when prompted before attempting to upgrade to Windows 10, version 1809. You can also manually download the latest version of iCloud for Windows by visiting https://support.apple.com/HT204283.
Intel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Upgrade block: Microsoft and Intel have identified a compatibility issue with a range of Intel Display Audio device drivers (intcdaud.sys, versions 10.25.0.3 - 10.25.0.8) that may result in excessive processor demand and reduced battery life. As a result, the update process to the Windows 10 October 2018 Update (Windows 10, version 1809) will fail and affected devices will automatically revert to the previous working configuration.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
If you see a \"What needs your attention\" notification during installation of the October 2018 Update, you have one of these affected drivers on your system. On the notification, click Back to remain on your current version of Windows 10.
To ensure a seamless experience, we are blocking devices from being offered the October 2018 Update until updated Intel device drivers are installed on your current operating system. We recommend that you do not attempt to manually update to Windows 10, version 1809, using the Update Now button or the Media Creation Tool from the Microsoft Software Download Center until newer Intel device drivers are available with the update. You can either wait for newer drivers to be installed automatically through Windows Update or check with your computer manufacturer for the latest device driver software availability and installation procedures. For more information about this issue, see Intel's customer support guidance.
Resolution: This issue was resolved in KB4482887 and the upgrade block removed.
Upgrade block: After updating to Windows 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4482887 and the upgrade block removed.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
RASMAN service may stop working and result in the error “0xc0000005” The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.
Loss of functionality in Dynabook Smartphone Link app After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
IE11 may stop working when loading or interacting with Power BI reports Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
System may be unresponsive after restart if ArcaBit antivirus software installed Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart.
Authentication may fail for services after the Kerberos ticket expires Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
Devices may not respond at login or Welcome screen if running certain Avast software Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
Applications using Microsoft Jet database fail to open Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
Event Viewer may not show some event descriptions for network interface cards The Event Viewer may not show some event descriptions for network interface cards (NIC).
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480955, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480970, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Cache size and location show zero or empty.
Keyboard shortcuts may not work properly.
Webpages may intermittently fail to load or render correctly.
Issues with credential prompts.
Issues when downloading files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.
Affected Platforms:
Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
After installing KB4480970, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”
This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
IE11 may stop working when loading or interacting with Power BI reports Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
Issue using PXE to start a device from WDS There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
MSXML6 may cause applications to stop responding. MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
Applications using Microsoft Jet database fail to open Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512488, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517298. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
After installing KB4480963, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480963, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Cache size and location show zero or empty.
Keyboard shortcuts may not work properly.
Webpages may intermittently fail to load or render correctly.
Issues with credential prompts.
Issues when downloading files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
After installing KB4480963, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”
This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.
Affected platforms:
Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart.
First character of the Japanese era name not recognized as an abbreviation The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
Applications using Microsoft Jet database fail to open Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512476, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517301. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480974, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
After installing KB4480968, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”
This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.
Affected platforms:
Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Some devices and generation 2 Hyper-V VMs may have issues installing updates Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing some updates when Secure Boot is enabled.
IE11 may stop working when loading or interacting with Power BI reports Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Applications using Microsoft Jet database fail to open Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
Event Viewer may not show some event descriptions for network interface cards The Event Viewer may not show some event descriptions for network interface cards (NIC).
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512518, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517302. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480975, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Cache size and location show zero or empty.
Keyboard shortcuts may not work properly.
Webpages may intermittently fail to load or render correctly.
Issues with credential prompts.
Issues when downloading files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
After installing KB4480975, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
After installing KB4480975, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, \"Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).\"
This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, \"Unrecognized Database Format\".
Affected platforms:
Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
"
-- title: June 2019
+- title: August 2019
- items:
- type: markdown
text: "
Details
Originating update
Status
History
-
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512497, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517276. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4517276 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Internet Explorer 11 and apps using the WebBrowser control may fail to render JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Internet Explorer 11 and apps using the WebBrowser control may fail to render JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.
SCVMM cannot enumerate and manage logical switches deployed on the host For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.
Some applications may fail to run as expected on clients of AD FS 2016 Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000 Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
Cluster service may fail if the minimum password length is set to greater than 14 The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512517, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512495. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512495 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”
Affected platforms:
Server: Windows Server 2019; Windows Server 2016
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507459. We are working on a resolution and estimate a solution will be available in mid-August.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Internet Explorer 11 and apps using the WebBrowser control may fail to render
Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.
Affected platforms:
Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server 2016
Workaround: To mitigate this issue, you need to Enable Script Debugging using one of the following ways.
Or you can Enable Script Debugging in Internet Settings. You can open Internet Setting by either typing Internet Settings into the search box on Windows or by selecting Internet Options in Internet Explorer. Once open, select Advanced then Browsing and finally, select Enable Script Debugging.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512517. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Internet Explorer 11 and apps using the WebBrowser control may fail to render
Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.
Affected platforms:
Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set toDENY.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000 Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512507, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512474. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512474 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507467. We are working on a resolution and estimate a solution will be available in mid-August.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512507. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512516, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512494. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512494 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507465. We are working on a resolution and estimate a solution will be available in mid-August.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512516. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512501, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is working on a resolution and estimates a solution will be available over the coming days.
The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive this update once it is released and install it.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507466. We are working on a resolution and estimate a solution will be available in mid-August.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512501. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4511553, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512534. This ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512534 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”
Affected platforms:
Server: Windows Server 2019; Windows Server 2016
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4505658. We are working on a resolution and estimate a solution will be available in mid-August.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4511553. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Updates may fail to install and you may receive Error 0x80073701 Installation of updates may fail and you may receive an error, \"Updates Failed, There were problems installing some updates, but we'll try again later\" and \"Error 0x80073701.\"
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Issues updating when certain versions of Intel storage drivers are installed Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.
Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Issues updating when certain versions of Intel storage drivers are installed Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.
Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
RASMAN service may stop working and result in the error “0xc0000005” The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU Some apps or games that needs to perform graphics intensive operations may close or fail to open on Surface Book 2 devices with Nvidia dGPU.
Initiating a Remote Desktop connection may result in black screen When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.
Loss of functionality in Dynabook Smartphone Link app After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.
Error attempting to update with external USB device or memory card attached PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"
Audio not working with Dolby Atmos headphones and home theater Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
Unable to discover or connect to Bluetooth devices Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512508, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is working on a resolution and estimates a solution will be available late August. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive the update once it is released.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive the error message, \"Updates Failed, There were problems installing some updates, but we'll try again later\" or \"Error 0x80073701\" on the Windows Update dialog or within Update history.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Next steps: We are working on a resolution and will provide an update in an upcoming release.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in mid-August.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).
To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.
Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.6.1044.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Next steps: To resolve this issue, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later. Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for the May 2019 Update. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool.
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in late August.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).
To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.
Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Workaround: To mitigate this issue before the resolution is released, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later. Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for Windows 10, version 1903. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool.
Next Steps: We are working on a resolution and estimate a solution will be available in late August.
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing unit (dGPU). After updating to Windows 10, version 1903 (May 2019 Feature Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.
To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPUs from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Workaround: To mitigate the issue if you are already on Windows 10, version 1903, you can restart the device or select the Scan for hardware changes button in the Action menu or on the toolbar in Device Manager.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Next steps: We are working on a resolution that will be made available in upcoming release.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).
To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.
Affected platforms:
Client: Windows 10, version 1903
Workaround: Before updating to Windows 10, version 1903, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM).
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
Connecting to (or disconnecting from) an external monitor, dock, or projector
Rotating the screen
Updating display drivers or making other display mode changes
Closing full screen applications
Applying custom color profiles
Running applications that rely on custom gamma ramps
Affected platforms:
Client: Windows 10, version 1903
Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.
To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.
Loss of functionality in Dynabook Smartphone Link app
Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.
To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Error attempting to update with external USB device or memory card attached
If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.
Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).
Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.
To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Audio not working with Dolby Atmos headphones and home theater
After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error.
This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions.
To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Affected platforms:
Client: Windows 10, version 1903
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek and Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek or Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it.
For Qualcomm drivers, you will need to install a driver version greater than 10.0.1.11.
For Realtek drivers, you will need to install a driver version greater than 1.5.1011.0.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool.
Next steps: Microsoft is working with Realtek and Qualcomm to release new drivers for all affected system via Windows Update.
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809
Workaround:
On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration.
Note We recommend you do not attempt to update your devices until newer device drivers are installed.
Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
IA64 and x64 devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows udates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
IA64 and x64 devices may fail to start after installing updates
IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error:
\"File: \\Windows\\system32\\winload.efi
Status: 0xc0000428
Info: Windows cannot verify the digital signature for this file.\"
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Take Action: To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Symantec has identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.
Next steps: To safeguard your update experience, Microsoft and Symantec have partnered to place a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available. Please reach out to Symantec or Norton support for further guidance.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles:
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512488, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517298. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles:
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Affected platforms:
Client: Windows 8.1; Windows 7 SP1
Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512476, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517301. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Japanese IME doesn't show the new Japanese Era name as a text input option If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512518, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517302. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
On August 16, 2019 at 7:16 AM a server required for downloading the Internet Explorer 11 (IE11) startup page, went down. As a result of the server outage, IE 11 became unresponsive for some customers who had not yet installed the August 2019 security updates. Customers who had the August 2019 security update installed were not affected. In order to ensure your devices remain in a serviced and secure state, we recommend you install the latest monthly update.
This issue was resolved on the server side at 1:00 pm PST.
The August 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. A “B” release is the primary, regular update event for each month and is the only regular release that contains security fixes. As a result, we recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
On August 13, 2019, Microsoft released security updates to address a Bluetooth key length encryption vulnerability. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the signal range of the Bluetooth devices in use. For more information about this industry-wide issue, see CVE-2019-9506 | Bluetooth Encryption Key Size Vulnerability in the Microsoft Security Update Guide and important guidance for IT pros in KB4514157. (Note: we are documenting this vulnerability together with guidance for IT admins as part of a coordinated industry disclosure effort.)
On August 13, 2019, Google Project Zero (GPZ) disclosed an Elevation of Privilege (EoP) vulnerability in how Windows handles calls to Advanced Local Procedure Call (ALPC) that affects Windows operating systems, versions 8.1 and higher. An attacker must already have code execution on the target system to leverage these vulnerabilities. Microsoft released security updates on August 13, 2019 that partially address this issue. Other items disclosed by GPZ require more time to address and we are working to release a resolution in mid-September. For more information, see CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability
As of August 13, 2019, Windows 7 SP1 and Windows Server 2008 R2 SP1 updates signatures only support SHA-2 code signing. As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, we are requiring that SHA-2 code signing support be installed. If you have Windows Update enabled and have applied the security updates released in March 2019 (KB4490628) and August 2019 (KB4474419), you are protected automatically; no further configuration is necessary. If you have not installed the March 2019 updates, you will need to do so in order to continue to receive updates on devices running Windows 7 SP1 and Windows Server 2008 R2 SP1.
Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the Windows release health dashboard.
August 13, 2019 10:00 AM PT
Advisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)
On July 9, 2019, Microsoft released a security update for a Windows kernel information disclosure vulnerability (CVE-2019-1125). Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically; no further configuration is necessary. For more information, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide. (Note: we are documenting this mitigation publicly today, instead of back in July, as part of a coordinated industry disclosure effort.)
August 06, 2019 10:00 AM PT
Resolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons
Some customers running the version of the Microsoft Store app released on July 29, 2019 encountered a blank screen when selecting “Switch out of S mode,” “Get Genuine,” or some “Upgrade to [version]” OS upgrade options. This issue has now been resolved and a new version of the Microsoft Store app has been released. Users who encountered this issue will need to update the Microsoft Store app on their device. If you are still encountering an issue, please see Fix problems with apps from Microsoft Store.
The optional monthly “D” release for Windows 10, version 1903 is now available. Follow @WindowsUpdate for the latest on the availability of this release.
July 26, 2019 02:00 PM PT
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 14b733039f..328ee569c2 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -35,6 +35,8 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
+ "manager": "dansimp",
+ "audience": "ITPro",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index d8db3e63d2..c1d0c47fdc 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -194,9 +194,9 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
| S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.|
| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.|
| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.|
-| S-1-5-5- *X *- *Y * | Logon Session| The *X * and *Y * values for these SIDs uniquely identify a particular logon session.|
+| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.|
| S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.|
-| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password. The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName *, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName * (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
+| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password. The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
| S-1-5-8| Proxy| Does not currently apply: this SID is not used.|
| S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.|
| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.|
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index c67ea0ab51..870cc58a84 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -71,7 +71,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t
**Enrolling devices in a certificate**
Run the following command:
-``` syntax
+```powershell
CertReq -EnrollCredGuardCert MachineAuthentication
```
@@ -87,7 +87,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
From a Windows PowerShell command prompt, run the following command:
- ``` syntax
+ ```powershell
.\get-IssuancePolicy.ps1 –LinkedToGroup:All
```
@@ -96,7 +96,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
From a Windows PowerShell command prompt, run the following command:
- ``` syntax
+ ```powershell
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
```
@@ -143,7 +143,7 @@ Here is a list of scripts mentioned in this topic.
Save this script file as get-IssuancePolicy.ps1.
-``` syntax
+```powershell
#######################################
## Parameters to be defined ##
## by the user ##
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 1a19c1ea01..b9b11df607 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -16,7 +16,7 @@ ms.date: 08/17/2017
ms.reviewer:
---
-# Windows Defender Credential Guard: Known issues
+# Windows Defender Credential Guard: Known issues
**Applies to**
- Windows 10
@@ -34,14 +34,14 @@ The following known issue has been fixed in the [Cumulative Security Update for
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
-- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
+- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221)
-- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
+- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
- This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems:
+ This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems:
- Windows 10 Version 1607 and Windows Server 2016:
[KB4015217 (OS Build 14393.1066 and 14393.1083)](https://support.microsoft.com/help/4015217)
@@ -52,30 +52,30 @@ The following known issues have been fixed by servicing releases made available
The following issue affects the Java GSS API. See the following Oracle bug database article:
-- [JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
+- [JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following issue affects Cisco AnyConnect Secure Mobility Client:
-- [Blue screen on Windows 10 computers running Windows Defender Device Guard and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
+- [Blue screen on Windows 10 computers running Windows Defender Device Guard and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
*Registration required to access this article.
The following issue affects McAfee Application and Change Control (MACC):
-- [KB88869 Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) [1]
+- [KB88869 Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) [1]
The following issue affects AppSense Environment Manager.
For further information, see the following Knowledge Base article:
-- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) [1] \**
+- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) [1] \**
The following issue affects Citrix applications:
-- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [1]
+- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [1][1] Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
-- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786)
+- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786)
For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx)
@@ -86,7 +86,7 @@ For further technical information on LSAISO.exe, see the MSDN article: [Isolated
## Vendor support
See the following article on Citrix support for Secure Boot:
-- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
+- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 3fe994764f..a583960ecd 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -106,7 +106,8 @@ You can do this by using either the Control Panel or the Deployment Image Servic
> [!NOTE]
> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](https://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
-
+
+
### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
@@ -115,7 +116,7 @@ You can also enable Windows Defender Credential Guard by using the [Windows Defe
DG_Readiness_Tool_v3.5.ps1 -Enable -AutoReboot
```
> [!IMPORTANT]
-> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
+> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
### Review Windows Defender Credential Guard performance
@@ -199,7 +200,8 @@ To disable Windows Defender Credential Guard, you can use the following set of p
For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
-
+
+
#### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
@@ -208,7 +210,7 @@ You can also disable Windows Defender Credential Guard by using the [Windows Def
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
```
> [!IMPORTANT]
-> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
+> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
#### Disable Windows Defender Credential Guard for a virtual machine
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index 2e1a83d9b7..582af34a67 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -96,7 +96,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t
**Enrolling devices in a certificate**
Run the following command:
-``` syntax
+```powershell
CertReq -EnrollCredGuardCert MachineAuthentication
```
@@ -112,7 +112,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
From a Windows PowerShell command prompt, run the following command:
- ``` syntax
+ ```powershell
.\get-IssuancePolicy.ps1 –LinkedToGroup:All
```
@@ -121,7 +121,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
From a Windows PowerShell command prompt, run the following command:
- ``` syntax
+ ```powershell
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
```
@@ -172,7 +172,7 @@ Here is a list of scripts mentioned in this topic.
Save this script file as get-IssuancePolicy.ps1.
-``` syntax
+```powershell
#######################################
## Parameters to be defined ##
## by the user ##
@@ -363,7 +363,7 @@ write-host "There are no issuance policies which are not mapped to groups"
Save the script file as set-IssuancePolicyToGroupLink.ps1.
-``` syntax
+```powershell
#######################################
## Parameters to be defined ##
## by the user ##
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
index 0b6d13f777..dae9193c68 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@@ -25,7 +25,7 @@ Here is a list of scripts mentioned in this topic.
Save this script file as get-IssuancePolicy.ps1.
-``` syntax
+```powershell
#######################################
## Parameters to be defined ##
## by the user ##
@@ -216,7 +216,7 @@ write-host "There are no issuance policies which are not mapped to groups"
Save the script file as set-IssuancePolicyToGroupLink.ps1.
-``` syntax
+```powershell
#######################################
## Parameters to be defined ##
## by the user ##
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 3c60042dd6..18314f3f58 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -44,7 +44,7 @@ Windows Hello provides many benefits, including:
- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies. For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
-## Where is Microsoft Hello data stored?
+## Where is Windows Hello data stored?
The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
## Has Microsoft set any device requirements for Windows Hello?
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 60e829af0c..4563787217 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -38,7 +38,7 @@ A new Active Directory Federation Services farm should have a minimum of two fed
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
-## Update Windows Server 2016
+## Update Windows Server 2016
Sign-in the federation server with _local admin_ equivalent credentials.
1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
deleted file mode 100644
index 30b809ce8c..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ /dev/null
@@ -1,549 +0,0 @@
----
-title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business)
-description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/19/2018
-ms.reviewer:
----
-# Configure or Deploy Multifactor Authentication Services
-
-**Applies to**
-- Windows 10, version 1703 or later
-- On-premises deployment
-- Certificate trust
-
-
-On-premises deployments must use an on-premises MFA Server that provides an AD FS Multifactor authentication adapter. It can be an Azure Multi-Factor Authentication Server or a third-party MFA solution.
-
->[!TIP]
->Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further.
-
-## Prerequisites
-
-The Azure MFA Server and User Portal servers have several prerequisites and must have connectivity to the Internet.
-
-### Primary MFA Server
-
-The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.
-
-For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
-
-The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched.
-
-#### Enroll for Server Authentication
-
-The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate.
-
-Sign-in the primary MFA server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished.
-9. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role.
-
-To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
-
-The following services are required:
-* Common Parameters > Default Document.
-* Common Parameters > Directory Browsing.
-* Common Parameters > HTTP Errors.
-* Common Parameters > Static Content.
-* Health and Diagnostics > HTTP Logging.
-* Performance > Static Content Compression.
-* Security > Request Filtering.
-* Security > Basic Authentication.
-* Management Tools > IIS Management Console.
-* Management Tools > IIS 6 Management Compatibility.
-* Application Development > ASP.NET 4.5.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Configure the IIS Server Certificate
-
-The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate.
-
-Sign in the primary MFA server with _administrator_ equivalent credentials.
-1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console
-2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**.
-3. In the **Actions** pane, click **Bindings**.
-4. In the **Site Bindings** dialog, Click **Add**.
-5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer.
-6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**.
-
-#### Configure the Web Service’s Security
-
-The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the **Phonefactor Admins** security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the **Phonefactor Admins** security group.
-
-Sign in the domain controller with _domain administrator_ equivalent credentials.
-
-##### Create Phonefactor Admin group
-
-1. Open **Active Directory Users and Computers**
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**.
-3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name.
-4. Click **OK**.
-
-##### Add accounts to the Phonefactor Admins group
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactor Admins** security group and select **Properties**.
-3. Click the **Members** tab.
-4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**.
- * The computer account for the primary MFA Server
- * Group or user account that will manage the User Portal server.
-
-
-#### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names.
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-
-* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc).
-* Confirm the host has all the available updates from Windows Update.
-* Confirm you bound the server authentication certificate to the IIS web site.
-* Confirm you created the Phonefactor Admins group.
-* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal.
-
-### User Portal Server
-
-The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users.
-
-The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design.
-
-#### Enroll for Server Authentication
-
-Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers.
-
-For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server.
-
-Sign-in the User Portal server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com).
-9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com).
-10. Click **Add**. Click **OK** when finished.
-11. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not require this.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Set the IIS Server Certificate
-
-To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server-certificate) section.
-
-#### Create WebServices SDK user account
-
-The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**.
-4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account.
-
-#### Add the MFA SDK user account to the Phonefactor Admins group
-
-Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK.
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactor Admins** security group and select Properties.
-3. Click the Members tab.
-4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**.
- * The computer account for the primary MFA Server
- * The Webservices SDK user account
- * Group or user account that will manage the User Portal server.
-
-
-#### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-* Confirm the hosts of the user portal are properly configure for load balancing and high-availability.
-* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names.
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-
-* Confirm the Web Server Role was properly configured on all servers.
-* Confirm all the hosts have the latest updates from Windows Update.
-* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group.
-
-## Installing Primary Azure MFA Server
-
-When you install Azure Multi-Factor Authentication Server, you have the following options:
-1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS
-2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments)
-
-See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options.
-
-Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server.
-
->[!IMPORTANT]
->Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article.
-
-### Configuring Company Settings
-
-You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory.
-
-Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
-1. Start the **Multi-Factor Server** application
-2. Click **Company Settings**.
-3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list.
-4. In **User defaults**, select **Phone Call** or **Text Message**
- **Note:** You can use the mobile application; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile application multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
-5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge.
-6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.
-7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal.
-8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists.
-9. Under default PIN rules, Select the User can change PIN check box to enable users to change their PIN during multi-factor authentication and through the user portal.
-10. Configure the minimum length for the PIN.
-11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.
-12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid.
-13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10.
-
-
-
-### Configuring Email Settings and Content
-
-If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings.
-
-Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication.
-
-With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on.
-
-The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile application). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication.
-
-If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile application for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
-
-#### Settings
-
-By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box.
-
-#### Content
-
-On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you.
-
-##### Edit the Content Settings
-
-The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab.
-
-Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. Click **Email** from the list of icons and click the **Email Content** tab.
-3. Select an email template from the list of templates. Click **Edit**.
-4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email.
- 
-
-5. Optionally, customize other options in the email template.
-6. When finished editing the template, Click **Apply**.
-7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes.
-8. Click **Close** when you are done editing the email templates.
-
-### Configuring Directory Integration Settings and Synchronization
-
-Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory.
-
-It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names).
-
-#### MultiFactorAuthAdSync Service
-
-The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server.
-
-The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges.
-
-#### Settings
-
-Configuring the directory synchronization between Active Directory and the Azure MFA server is easy.
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
-3. Click the **Synchronization** tab.
-4. Select **Use Active Directory**.
-5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the check box to improve performance.
-
-#### Synchronization
-
-The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers.
-
-You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting.
-
-See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details.
-
-##### To add a synchronization item
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
-3. Select the **Synchronization** tab.
-4. On the **Synchronization** tab, click **Add**.
- 
-
-5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list.
-6. Select the group you are using for replication from the list of groups
-7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups.
-8. Select **Add new users and Update existing users**.
-9. Select **Disable/Remove users no longer a member** and select **Disable** from the list.
-10. Select the attributes appropriate for your environment for **Import phone** and **Backup**.
-11. Select **Enabled** and select **Only New Users with Phone Number** from the list.
-12. Select **Send email** and select **New and Updated Users**.
-
-##### Configure synchronization item defaults
-
-1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab.
-2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN).
-
-##### Configure synchronization language defaults
-
-1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab.
-2. Select the appropriate default language for these groups of users synchronized by these synchronization item.
-3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**.
-
->[!TIP]
->For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint).
-
-### Installing the MFA Web Services SDK
-
-The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store.
-
-Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed.
-
-Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK.
-
-## Install Secondary MFA Servers
-
-Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit.
-
-Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated.
-
-Sign in the secondary MFA server with _domain administrator_ equivalent credentials.
-1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**.
- **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server.
-2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**.
-3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**.
-4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group.
-5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm you downloaded the latest Azure MFA Server from the Azure Portal.
-* Confirm the server has Internet connectivity.
-* Confirm you installed and activated the Azure MFA Server.
-* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc).
-* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server.
- * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups.
-
-* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account.
-* Confirm you installed the Web Service SDK on the primary MFA server.
-* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server.
-
-
-## Installing the User Portal Server
-
-You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users.
-
-### Copying the User Portal Installation file
-
-Sign in the primary MFA server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer.
-2. Browse to the C:\Program Files\MultiFactor Authentication Server folder.
-3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server.
-
-### Configure Virtual Directory name
-
-Sign in the User Portal server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step.
-2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**.
-3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time.
-4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**.
-5. Click **Close**.
-
-### Edit MFA User Portal config file
-
-Sign in the User Portal server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file.
-2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
-3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
-4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
-
-### Create a DNS entry for the User Portal web site
-
-Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials.
-1. Open the **DNS Management** console.
-2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
-3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
-4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
-5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**.
-6. Close the **DNS Management** console.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm the user portal application is properly installed on all user portal hosts
-* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
-* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
-* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
-* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
-* Confirm you saved the changes to the web.config file.
-
-### Validating your work
-
-Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
-
-Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal.
-
-### Configuring the User Portal
-
-The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal.
-User Portal Administrators may be set up and granted permission to add new users and update existing users.
-
-#### Settings
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the Multi-Factor Authentication Server console.
-2. From the Multi-Factor Authentication Server window, click the User Portal icon.
- 
-
-3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`.
-The Multi-Factor Authentication Server uses this information when sending emails to users.
-4. Select Allow users to log in and Allow user enrollment check boxes.
-5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile application later once you have deployed the Mobile application web service). Select Automatically trigger user’s default method.
-6. Select Allow users to select language.
-7. Select Use security questions for fallback and select 4 from the Questions to answer list.
-
->[!TIP]
->For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal).
-
-#### Administrators
-
-The User Portal Settings tab allows the administrator to install and configure the User Portal.
-1. Open the Multi-Factor Authentication Server console.
-2. From the Multi-Factor Authentication Server window, click the User Portal icon.
-3. On the Administrators tab, Click Add
-4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions.
-5. Click Add.
-
->[!TIP]
->For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**.
-
-#### Security Questions
-
-[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions.
-
-#### Trusted IPs
-
-The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry.
-
-## Configure the AD FS Server to use the MFA for multifactor authentication
-
-You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server.
-
-### Install the MFA AD FS Adapter
-
-Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server.
-
-### Edit the MFA AD FS Adapter config file on all ADFS Servers
-
-Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file.
-2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
-3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
-4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “ to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
-
-### Edit the AD FS Adapter Windows PowerShell cmdlet
-
-Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-
-Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
-
-### Run the AD FS Adapter PowerShell cmdlet
-
-Sign in the primary AD FS server with local administrator equivalent credentials.
-
-Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**.
-
->[!NOTE]
->You must restart the AD FS service for the registration to take effect.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm the user portal application is properly installed on all user portal hosts
-* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
-* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
-* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
-* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
-* Confirm you saved the changes to the web.config file.
-* Confirm you restarted the AD FS Service after completing the configuration.
-
-## Test Multifactor Authentication
-
-Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete.
-
-1. In the **Multi-Factor Authentication** server, on the left, click **Users**.
-2. In the list of users, select a user that is enabled and has a valid phone number to which you have access.
-3. Click **Test**.
-4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory.
-
-The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog.
-
-
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index 13beb24a52..ff7f5deec6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -16,36 +16,19 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
-# Validate and Deploy Multifactor Authentication Services (MFA)
+# Validate and Deploy Multi-factor Authentication (MFA)
**Applies to**
-- Windows 10, version 1703 or later
-- On-premises deployment
-- Certificate trust
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Certificate trust
-Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory.
+Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
-Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected.
-* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks.
-* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom applications. This protection is even extended to your high-volume, mission-critical scenarios.
-* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards.
-* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.
+For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](https://docs.microsoft.com/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
-## On-Premises Azure MFA Server
-
-On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory.
-
-### Infrastructure
-
-A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing.
-
-Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server.
-
->[!IMPORTANT]
->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use installation instructions provided in the article.
-
-Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md).
+Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-authentication-policies).
## Follow the Windows Hello for Business on premises certificate trust deployment guide
1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 48fdad4ba0..2e79df76db 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -85,8 +85,8 @@ Sign-in to a certificate authority or management workstations with _Enterprise A
3. In the **Certificate Templates Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
4. Click the **Superseded Templates** tab. Click **Add**.
5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**.
-6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **Add**.
-7. From the **Add Superseded Template** dialog, select the **Kerberos Authentication** certificate template and click **Add**.
+6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. Click **Add**.
+7. From the **Add Superseded Template** dialog, select the **Kerberos Authentication** certificate template and click **OK**. Click **Add**.
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
9. Click **OK** and close the **Certificate Templates** console.
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
index 1a029f2dc9..37591f1f54 100644
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@@ -147,7 +147,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
### On-premises Deployments
-** Requirements**
+**Requirements**
* Active Directory
* On-premises Windows Hello for Business deployment
* Reset from settings - Windows 10, version 1703, Professional
@@ -260,7 +260,7 @@ Users appreciate convenience of biometrics and administrators value the security
> [!IMPORTANT]
-> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.\
+> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 26b5607798..f32db55329 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -71,7 +71,7 @@ Azure AD Join is intended for organizations that desire to be cloud-first or clo
[Join Type](#join-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
### More information
- - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction).
+- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction).
[Return to Top](hello-how-it-works-technology.md)
## Azure AD Registered
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 847bbfdf0e..d1c11a2a8c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -309,13 +309,13 @@ Sign-in a workstation with access equivalent to a _domain user_.
11. Select the appropriate configuration for the following settings.
- * **Lowercase letters in PIN**
- * **Uppercase letters in PIN**
- * **Special characters in PIN**
- * **PIN expiration (days)**
- * **Remember PIN history**
- > [!NOTE]
- > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
+ * **Lowercase letters in PIN**
+ * **Uppercase letters in PIN**
+ * **Special characters in PIN**
+ * **PIN expiration (days)**
+ * **Remember PIN history**
+ > [!NOTE]
+ > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
13. Select **No** to **Allow phone sign-in**. This feature has been deprecated.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 2fc0996eb0..8eb13e3cb1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -79,7 +79,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni
1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
2. Click **Login** and provide Azure credentials
-3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid] is the user principal name of user in Azure Active Directory. Click **Go**
+3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go**
4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user.
@@ -535,7 +535,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
-3. Select **Device Configuration**, and then select **Certificate Authority**.
+3. Select **Device Configuration**, and then select **Certificate Connectors**.
4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section.
@@ -610,7 +610,7 @@ Sign-in the NDES server with access equivalent to _domain admin_.
1. Open a command prompt.
2. Type the following command to confirm the NDES Connector's last connection time is current.
-```reg query hklm\software\Micosoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
+```reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
3. Close the command prompt.
4. Open **Internet Explorer**.
5. In the navigation bar, type
@@ -636,7 +636,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**.
9. Click **Create**.
-### Create a SCEP Certificte Profile
+### Create a SCEP Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
@@ -659,7 +659,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
-15. Under **Extended key usage**, type **Smart Card Logon** under Name. Type **1.3.6.1.4.1.311.20.2.2 under **Object identifier**. Click **Add**.
+15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 1df71e5f3d..433457239a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -196,10 +196,19 @@ In a federated Azure AD configuration, devices rely on Active Directory Federati
Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service.
+When you're using AD FS, you need to enable the following WS-Trust endpoints:
+`/adfs/services/trust/2005/windowstransport`
+`/adfs/services/trust/13/windowstransport`
+`/adfs/services/trust/2005/usernamemixed`
+`/adfs/services/trust/13/usernamemixed`
+`/adfs/services/trust/2005/certificatemixed`
+`/adfs/services/trust/13/certificatemixed`
+
+> [!WARNING]
+> Both **adfs/services/trust/2005/windowstransport** or **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust WIndows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**.
+
> [!NOTE]
-> When using AD FS, either **adfs/services/trust/13/windowstransport** or **adfs/services/trust/2005/windowstransport** must be enabled. If you are using the Web Authentication Proxy, also ensure that this endpoint is published through the proxy. You can see what end-points are enabled through the AD FS management console under **Service > Endpoints**.
->
-> If you don't have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX).
+>If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX).
The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 71517e7da8..cd40458897 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -74,6 +74,9 @@ The two directories used in hybrid deployments must be synchronized. You need A
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema).
+> [!NOTE]
+> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory.
+
### Section Review
> [!div class="checklist"]
> * Azure Active Directory Connect directory synchronization
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 1629f3eb9a..1cf7fcb2cd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -114,7 +114,7 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
-3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**.
+3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index 05a4294ad7..f65eaf8b20 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -151,7 +151,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p
You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
#### Use biometrics
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index cdc50b7691..1f4f6b976d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -19,11 +19,11 @@ ms.reviewer:
# Hybrid Azure AD joined Key Trust Deployment
**Applies to**
-- Windows 10, version 1703 or later
-- Hybrid deployment
-- Key trust
-
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
+
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
@@ -31,10 +31,11 @@ It is recommended that you review the Windows Hello for Business planning guide
This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
## New Deployment Baseline ##
+
The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
-
+
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
-
+
Your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
> [!div class="nextstepaction"]
@@ -42,9 +43,8 @@ Your next step is to familiarize yourself with the prerequisites needed for the
-
-
## Follow the Windows Hello for Business hybrid key trust deployment guide
+
1. Overview (*You are here*)
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 161c10f243..a6364bad59 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -38,7 +38,7 @@ A new Active Directory Federation Services farm should have a minimum of two fed
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
-## Update Windows Server 2016
+## Update Windows Server 2016
Sign-in the federation server with _local admin_ equivalent credentials.
1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please review the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
deleted file mode 100644
index b2c377057f..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ /dev/null
@@ -1,549 +0,0 @@
----
-title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business)
-description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/19/2018
-ms.reviewer:
----
-# Configure or Deploy Multifactor Authentication Services
-
-**Applies to**
-- Windows 10, version 1703 or later
-- On-premises deployment
-- Key trust
-
-
-On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter.
-
->[!TIP]
->Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further.
-
-## Prerequisites
-
-The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet.
-
-### Primary MFA Server
-
-The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.
-
-For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
-
-The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched.
-
-#### Enroll for Server Authentication
-
-The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate.
-
-Sign-in the primary MFA server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished.
-9. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role.
-
-To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
-
-The following services are required:
-* Common Parameters > Default Document.
-* Common Parameters > Directory Browsing.
-* Common Parameters > HTTP Errors.
-* Common Parameters > Static Content.
-* Health and Diagnostics > HTTP Logging.
-* Performance > Static Content Compression.
-* Security > Request Filtering.
-* Security > Basic Authentication.
-* Management Tools > IIS Management Console.
-* Management Tools > IIS 6 Management Compatibility.
-* Application Development > ASP.NET 4.5.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Configure the IIS Server’s Certificate
-
-The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate.
-
-Sign in the primary MFA server with _administrator_ equivalent credentials.
-1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console
-2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**.
-3. In the **Actions** pane, click **Bindings**.
-4. In the **Site Bindings** dialog, Click **Add**.
-5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer.
-6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**.
-
-#### Configure the Web Service’s Security
-
-The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group.
-
-Sign in the domain controller with _domain administrator_ equivalent credentials.
-
-##### Create Phonefactor Admin group
-
-1. Open **Active Directory Users and Computers**
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**.
-3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name.
-4. Click **OK**.
-
-##### Add accounts to the Phonefactor Admins group
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactor Admins** security group and select **Properties**.
-3. Click the **Members** tab.
-4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**.
- * The computer account for the primary MFA Server
- * Group or user account that will manage the User Portal server.
-
-
-#### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names.
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-
-* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc).
-* Confirm the host has all the available updates from Windows Update.
-* Confirm you bound the server authentication certificate to the IIS web site.
-* Confirm you created the Phonefactor Admins group.
-* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal.
-
-### User Portal Server
-
-The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users.
-
-The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design.
-
-#### Enroll for Server Authentication
-
-Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers.
-
-For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server.
-
-Sign-in the User Portal server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com).
-9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com).
-10. Click **Add**. Click **OK** when finished.
-11. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not require this.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Configure the IIS Server’s Certificate
-
-To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-servers-certificate) section.
-
-#### Create WebServices SDK user account
-
-The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**.
-4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account.
-
-#### Add the MFA SDK user account to the Phonefactor Admins group
-
-Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK.
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties.
-3. Click the Members tab.
-4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**.
- * The computer account for the primary MFA Server
- * The Webservices SDK user account
- * Group or user account that will manage the User Portal server.
-
-
-#### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-* Confirm the hosts of the user portal are properly configure for load balancing and high-availability.
-* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names.
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-
-* Confirm the Web Server Role was properly configured on all servers.
-* Confirm all the hosts have the latest updates from Windows Update.
-* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group.
-
-## Installing Primary Azure MFA Server
-
-When you install Azure Multi-Factor Authentication Server, you have the following options:
-1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS
-2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments)
-
-See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options.
-
-Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server.
-
->[!IMPORTANT]
->Only follow the above mention article to install Azure MFA Server. Once it is installed, continue configuration using this article.
-
-### Configuring Company Settings
-
-You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory.
-
-Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
-1. Start the **Multi-Factor Server** application
-2. Click **Company Settings**.
-3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list.
-4. In **User defaults**, select **Phone Call** or **Text Message**
- **Note:** You can use mobile application; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile application multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
-5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge.
-6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.
-7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal.
-8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists.
-9. Under default PIN rules, Select the User can change PIN check box to enable users to change their PIN during multi-factor authentication and through the user portal.
-10. Configure the minimum length for the PIN.
-11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.
-12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid.
-13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10.
-
-
-
-### Configuring Email Settings and Content
-
-If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings.
-
-Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication.
-
-With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on.
-
-The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile application). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication.
-
-If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile application for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
-
-#### Settings
-
-By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box.
-
-#### Content
-
-On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you.
-
-##### Edit the Content Settings
-
-The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab.
-
-Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. Click **Email** from the list of icons and click the **Email Content** tab.
-3. Select an email template from the list of templates. Click **Edit**.
-4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email.
- 
-
-5. Optionally, customize other options in the email template.
-6. When finished editing the template, Click **Apply**.
-7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes.
-8. Click **Close** when you are done editing the email templates.
-
-### Configuring Directory Integration Settings and Synchronization
-
-Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory.
-
-It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names).
-
-#### MultiFactorAuthAdSync Service
-
-The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server.
-
-The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges.
-
-#### Settings
-
-Configuring the directory synchronization between Active Directory and the Azure MFA server is easy.
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
-3. Click the **Synchronization** tab.
-4. Select **Use Active Directory**.
-5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the check box to improve performance.
-
-#### Synchronization
-
-The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers.
-
-You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting.
-
-See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details.
-
-##### To add a synchronization item
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the **Multi-Factor Authentication Server** console.
-2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
-3. Select the **Synchronization** tab.
-4. On the **Synchronization** tab, click **Add**.
- 
-
-5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list.
-6. Select the group you are using for replication from the list of groups
-7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups.
-8. Select **Add new users and Update existing users**.
-9. Select **Disable/Remove users no longer a member** and select **Disable** from the list.
-10. Select the attributes appropriate for your environment for **Import phone** and **Backup**.
-11. Select **Enabled** and select **Only New Users with Phone Number** from the list.
-12. Select **Send email** and select **New and Updated Users**.
-
-##### Configure synchronization item defaults
-
-1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab.
-2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN).
-
-##### Configure synchronization language defaults
-
-1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab.
-2. Select the appropriate default language for these groups of users synchronized by these synchronization item.
-3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**.
-
->[!TIP]
->For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint).
-
-### Installing the MFA Web Services SDK
-
-The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store.
-
-Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed.
-
-Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK.
-
-## Install Secondary MFA Servers
-
-Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit.
-
-Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated.
-
-Sign in the secondary MFA server with _domain administrator_ equivalent credentials.
-1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**.
- **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server.
-2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**.
-3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**.
-4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group.
-5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm you downloaded the latest Azure MFA Server from the Azure Portal.
-* Confirm the server has Internet connectivity.
-* Confirm you installed and activated the Azure MFA Server.
-* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc).
-* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server.
- * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups.
-
-* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account.
-* Confirm you installed the Web Service SDK on the primary MFA server.
-* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server.
-
-
-## Installing the User Portal Server
-
-You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users.
-
-### Copying the User Portal Installation file
-
-Sign in the primary MFA server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer.
-2. Browse to the C:\Program Files\MultiFactor Authentication Server folder.
-3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server.
-
-### Configure Virtual Directory name
-
-Sign in the User Portal server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step.
-2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**.
-3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time.
-4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**.
-5. Click **Close**.
-
-### Edit MFA User Portal config file
-
-Sign in the User Portal server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file.
-2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
-3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
-4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
-
-### Create a DNS entry for the User Portal web site
-
-Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials.
-1. Open the **DNS Management** console.
-2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
-3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
-4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
-5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**.
-6. Close the **DNS Management** console.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm the user portal application is properly installed on all user portal hosts
-* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
-* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
-* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
-* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
-* Confirm you saved the changes to the web.config file.
-
-### Validating your work
-
-Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
-
-Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal.
-
-### Configuring the User Portal
-
-The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal.
-User Portal Administrators may be set up and granted permission to add new users and update existing users.
-
-#### Settings
-
-Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
-1. Open the Multi-Factor Authentication Server console.
-2. From the Multi-Factor Authentication Server window, click the User Portal icon.
- 
-
-3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`.
-The Multi-Factor Authentication Server uses this information when sending emails to users.
-4. Select Allow users to log in and Allow user enrollment check boxes.
-5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile application later once you have deployed the Mobile application web service). Select Automatically trigger user’s default method.
-6. Select Allow users to select language.
-7. Select Use security questions for fallback and select 4 from the Questions to answer list.
-
->[!TIP]
->For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal).
-
-#### Administrators
-
-The User Portal Settings tab allows the administrator to install and configure the User Portal.
-1. Open the Multi-Factor Authentication Server console.
-2. From the Multi-Factor Authentication Server window, click the User Portal icon.
-3. On the Administrators tab, Click Add
-4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions.
-5. Click Add.
-
->[!TIP]
->For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**.
-
-#### Security Questions
-
-[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions.
-
-#### Trusted IPs
-
-The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry.
-
-## Configure the AD FS Server to use the MFA for multifactor authentication
-
-You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server.
-
-### Install the MFA AD FS Adapter
-
-Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server.
-
-### Edit the MFA AD FS Adapter config file on all ADFS Servers
-
-Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file.
-2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
-3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
-4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “ to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
-
-### Edit the AD FS Adapter Windows PowerShell cmdlet
-
-Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-
-Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
-
-### Run the AD FS Adapter PowerShell cmdlet
-
-Sign in the primary AD FS server with local administrator equivalent credentials.
-
-Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**.
-
->[!NOTE]
->You must restart the AD FS service for the registration to take effect.
-
-### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm the user portal application is properly installed on all user portal hosts
-* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
-* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
-* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
-* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
-* Confirm you saved the changes to the web.config file.
-* Confirm you restarted the AD FS Service after completing the configuration.
-
-## Test AD FS with the Multifactor Authentication connector
-
-Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete.
-
-1. In the **Multi-Factor Authentication** server, on the left, click **Users**.
-2. In the list of users, select a user that is enabled and has a valid phone number to which you have access.
-3. Click **Test**.
-4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory.
-
-The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog.
-
-
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 73e64d3e70..1b30d94278 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -33,9 +33,9 @@ On-premises certificate-based deployments of Windows Hello for Business needs on
## Enable Windows Hello for Business Group Policy
-The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
+The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
-You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
+If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows 10.
## Create the Windows Hello for Business Group Policy object
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 19a03daf36..f4e3ef2457 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -16,36 +16,22 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
-# Validate and Deploy Multifactor Authentication Services (MFA)
+# Validate and Deploy Multi-factor Authentication (MFA)
+
+> [!IMPORTANT]
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
**Applies to**
-- Windows 10, version 1703 or later
-- On-premises deployment
-- Key trust
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Key trust
-Windows Hello for Business requires all users perform an additional factor of authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory.
+Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
-Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected.
-* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks.
-* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom applications. This protection is even extended to your high-volume, mission-critical scenarios.
-* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards.
-* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.
+For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](https://docs.microsoft.com/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
-## On-Premises Azure MFA Server
-
-On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory.
-
-### Infrastructure
-
-A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing.
-
-Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server.
-
->[!IMPORTANT]
->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use installation instructions provided in the article.
-
-Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-key-trust-deploy-mfa.md).
+Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-authentication-policies).
## Follow the Windows Hello for Business on premises certificate trust deployment guide
1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 68ee7e67cf..2ff12340f3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -47,7 +47,7 @@ There are six major categories you need to consider for a Windows Hello for Busi
### Baseline Prerequisites
-Windows Hello for Business has a few baseline prerequisites with which you can begin. These baseline prerequisites are provided in the worksheet.
+Windows Hello for Business has a few baseline prerequisites with which you can begin. These baseline prerequisites are provided in the worksheet.
### Deployment Options
@@ -166,11 +166,13 @@ If your organization does not have cloud resources, write **On-Premises** in box
### Trust type
+Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
+
Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust).
-Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
+Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect.
If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 062ad20bc7..57238c3214 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -1,5 +1,5 @@
---
-title: Password-less Strategy
+title: Passwordless Strategy
description: Reducing Password Usage Surface
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: w10
@@ -14,195 +14,195 @@ ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
-ms.reviewer:
+ms.reviewer:
---
-# Password-less Strategy
+# Passwordless Strategy
-## Four steps to Password-less
+## Four steps to password freedom
-Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password-less.
-
+Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom.
+
### 1. Develop a password replacement offering
-Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory.
+Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory.
-Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
+Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
### 2. Reduce user-visible password surface area
-With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
+With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
-### 3. Transition into a password-less deployment
-Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where:
- - the user never types their password
- - the user never changes their password
- - the user does not know their password
+### 3. Transition into a passwordless deployment
+Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where:
+- the users never type their password
+- the users never change their password
+- the users do not know their password
-In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
+In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
### 4. Eliminate passwords from the identity directory
-The final step of the password-less story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly password-less environment.
+The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment.
## Methodology
-The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less. But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations.
+Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed by any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations.
-### Prepare for the Journey
-The road to password-less is a journey. The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey.
+### Prepare for the Journey
+The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria influencing the length of that journey.
-The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size. One way to break down the size of the organization is:
+The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the:
- Number of departments
-- Organization or department hierarchy
+- Organization or department hierarchy
- Number and type of applications and services
- Number of work personas
- Organization's IT structure
-#### Number of departments
-The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well.
+#### Number of departments
+The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly, while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well.
-You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computer (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less.
+You need to know all the departments within your organization and you need to know which departments use computers and which ones do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed that it is not applicable.
-Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less. Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy.
+Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but your partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy.
#### Organization or department hierarchy
-Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device.
+Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used, most likely differs between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device.
#### Number and type of applications and services
-The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application.
+The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical items in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application.
-Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacture and the version. Also, do not forget web-based applications or services when inventorying applications.
+Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the latter, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications.
#### Number of work personas
-Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona.
+Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona.
-A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name.
+A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work, and you will refer to them in documentation and in meetings. You need to give them a name.
-Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona.
+Give your personas easy and intuitive names like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona.
-Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or that needs a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software.
+Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person who is in that department and who uses that specific software.
#### Organization's IT structure
-IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded.
+IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded.
#### Assess your Organization
-You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what?
+You have a ton of information. You have created your work personas, you have identified your stakeholders throughout the different IT groups. Now what?
-By now you can see why its a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple-- meaning a solution already exists in the environment and its a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity.
+By now you can see why it is a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you have identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it is only a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project which must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity.
-How long does it take to reach password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that password-less is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will:
+How long does it take to become passwordless? The answer is "it depends". It depends on the organizational alignment of a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they have agreed on the strategy). Those resources will:
- work through the work personas
- organize and deploy user acceptance testing
- evaluate user acceptance testing results for user-visible password surfaces
- work with stakeholders to create solutions that mitigate user-visible password surfaces
- add the solution to the project backlog and prioritize against other projects
-- deploy solution
-- User acceptance testing to confirm the solution mitigates the user-visible password surface
-- Repeat as needed
+- deploy the solution
+- perform user acceptance testing to confirm that the solution mitigates the user-visible password surface
+- repeat the testing as needed
-Your organization's journey to password-less may take some time to get there. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it is likely that to go password-less tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to password-less.
+Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state.
### Where to start?
-What is the best guidance for kicking off the journey to password-less? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused.
+What is the best guidance for kicking off the journey to password freedom? You will want to show your management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused.
-#### Work persona
-You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps.
+#### Work persona
+You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the steps to password freedom.
> [!IMPORTANT]
-> Avoid using any work personas from your IT department. This is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey.
+> Avoid using any work personas from your IT department. This is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey.
-Review your collection of work personas. Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot.
+Review your collection of work personas. Early in your passwordless journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot.
-Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona.
+Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could take a few days or several weeks, depending on the complexity of the targeted work persona.
-You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your time line.
+You will want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline.
## The Process
-The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like
+The journey to password freedom is to take each work persona through each step of the process. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this:
-1. Password-less replacement offering (Step 1)
- 1. Identify test users that represent the targeted work persona.
+1. Passwordless replacement offering (Step 1)
+ 1. Identify test users representing the targeted work persona.
2. Deploy Windows Hello for Business to test users.
- 3. Validate password and Windows Hello for Business work.
+ 3. Validate that passwords and Windows Hello for Business work.
2. Reduce User-visible Password Surface (Step 2)
1. Survey test user workflow for password usage.
2. Identify password usage and plan, develop, and deploy password mitigations.
3. Repeat until all user password usage is mitigated.
- 4. Remove password capabilities from the Windows.
- 5. Validate **all** workflows do not need passwords.
-3. Transition into a password-less (Step 3)
- 1. Awareness campaign and user education.
- 2. Including remaining users that fit the work persona.
- 3. Validate **all** users of the work personas do not need passwords.
- 4. Configure user accounts to disallow password authentication.
+ 4. Remove password capabilities from Windows.
+ 5. Validate that **none of the workflows** need passwords.
+3. Transition into a passwordless scenario (Step 3)
+ 1. Awareness campaign and user education.
+ 2. Include remaining users who fit the work persona.
+ 3. Validate that **none of the users** of the work personas need passwords.
+ 4. Configure user accounts to disallow password authentication.
-After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process.
+After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process.
-### Password-less replacement offering (Step 1)
-THe first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
+### Passwordless replacement offering (Step 1)
+The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
#### Identify test users that represent the targeted work persona
-A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.
+A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.
#### Deploy Windows Hello for Business to test users
-Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business.
+Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming passwordless. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business.
-With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment.
+With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment.
> [!NOTE]
-> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices.
+> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices.
-#### Validate password and Windows Hello for Business work
-In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas.
+#### Validate that passwords and Windows Hello for Business work
+In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas.
### Reduce User-visible Password Surface (Step 2)
Before you move to step 2, ensure you have:
-- selected your targeted work persona.
-- identified your test users that represented the targeted work persona.
+- selected your targeted work persona.
+- identified your test users who represent the targeted work persona.
- deployed Windows Hello for Business to test users.
- validated passwords and Windows Hello for Business both work for the test users.
#### Survey test user workflow for password usage
-Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as your further your progress through step 2.
+Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as you further your progress through step 2.
-Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simply task. Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is:
+Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions:
- What is the name of the application that asked for a password?.
- Why do they use the application that asked for a password? (Example: is there more than one application that can do the same thing?).
- What part of their workflow makes them use the application? Try to be as specific as possible (I use application x to issue credit card refunds for amounts over y.).
- How frequently do you use this application in a given day? week?
-- Is the password you type into the application the same as the password you use to sign-in to Windows?
+- Is the password you type into the application the same as the password you use to sign-in to Windows?
-Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt which could delay the transition to password-less.
+Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless.
#### Identify password usage and plan, develop, and deploy password mitigations
-Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password.
+Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password.
-Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password.
+Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If it is policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password.
-Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they low percentage scenarios. Remember to include scenarios like:
+Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they are low percentage scenarios. Remember to include scenarios like:
- Provisioning a new brand new user without a password.
- Users who forget the PIN or other remediation flows when the strong credential is unusable.
-Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions-- whichever of the two is easier or quicker. This will certainly vary by organization.
+Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization.
-Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. A overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded.
+Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded.
-Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS).
+Mitigating password usage with applications is one of the more challenging obstacles in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS).
-The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
+The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
-Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authenticate.
+Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication.
#### Repeat until all user password usage is mitigated
-Some or all of your mitigations are in place. You need to validate your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If your stuck, others might be too. Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it. If your out of options, contact Microsoft for assistance.
+Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you are stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you are out of options, contact Microsoft for assistance.
-#### Remove password capabilities from the Windows
-You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password.
+#### Remove password capabilities from Windows
+You believe you have mitigated all the password usage for the targeted work persona. Now comes the true test - configure Windows so the user cannot use a password.
-Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider.
+Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider.
-##### Security Policy
-You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
+##### Security Policy
+You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
**Windows Server 2016 and earlier**
@@ -213,33 +213,33 @@ The policy name for these operating systems is **Interactive logon: Require smar
The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
-When you enables this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
+When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
#### Excluding the password credential provider
-You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon**
+You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > Logon**
-The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
+The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
-Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
+Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
-#### Validate all workflows do not need passwords
-This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a passwords. Users will be blocked is any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well.
+#### Validate that none of the workflows needs passwords
+This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well.
-### Transition into a password-less deployment (Step 3)
-Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success.
+### Transition into a passwordless deployment (Step 3)
+Congratulations! You are ready to transition one or more portions of your organization to a passwordless deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success.
#### Awareness and user education
-In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign.
+In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password freedom. Before you do this, you want to invest in an awareness campaign.
-An awareness campaign is introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide user education, where you can show the users the changes and, if your environment allows, enable the users to try the experience out.
+An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience.
#### Including remaining users that fit the work persona
-You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment.
+You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment.
-#### Validate **all** users of the work personas do not need passwords.
-You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment.
+#### Validate that none of the users of the work personas needs passwords
+You have successfully transitioned all users for the targeted work persona to being passwordless. Monitor the users within the work persona to ensure they do not encounter any issues while working in a passwordless environment.
Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are:
- Is the reporting user performing a task outside the work persona?
@@ -247,24 +247,24 @@ Track all reported issues. Set priority and severity to each reported issue and
- Is the outage a result of a misconfiguration?
- Is the outage a overlooked gap from step 2?
-Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it and less time on process.
+Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process.
-Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating.
+Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal, but do not let this slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it.
#### Configure user accounts to disallow password authentication.
-You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords.
+You transitioned all the users for the targeted work persona to a passwordless environment and you have successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords.
You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object.
The account options on a user account includes an option -- **Smart card is required for interactive logon**, also known as (SCRIL).
> [!NOTE]
-> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller.
+> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller.
**SCRIL setting for a user on Active Directory Users and Computers.**
-When you configure an user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users is effectively password-less because:
+When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because:
- the do not know their password.
- their password is 128 random bits of data and is likely to include non-typable characters.
- the user is not asked to change their password
@@ -274,7 +274,7 @@ When you configure an user account for SCRIL, Active Directory changes the affec
**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.**
> [!NOTE]
-> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically.
+> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically.
**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.**
@@ -283,14 +283,14 @@ When you configure an user account for SCRIL, Active Directory changes the affec
> Windows Hello for Business was formerly known as Microsoft Passport.
##### Automatic password change for SCRIL configured users
-Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for a SCRIL enabled users by configuring the domain to automatically change the password for SCRIL users.
+Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users.
-In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings. When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or experience any authentication outages.
+In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages.
> [!NOTE]
-> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability with while reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
+> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
## The Road Ahead
-The information presented here is just the beginning. We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback).
+The information presented here is just the beginning. We will update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a passwordless future, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback).
diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
index c286b36226..312e43cff6 100644
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ b/windows/security/identity-protection/hello-for-business/toc.md
@@ -1,6 +1,6 @@
# [Windows Hello for Business](hello-identity-verification.md)
-##[Password-less Strategy](passwordless-strategy.md)
+## [Password-less Strategy](passwordless-strategy.md)
## [Windows Hello for Business Overview](hello-overview.md)
## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
@@ -53,7 +53,6 @@
#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md)
#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
## [Windows Hello and password changes](hello-and-password-changes.md)
@@ -63,4 +62,4 @@
### [Windows Hello for Business Videos](hello-videos.md)
## [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-## [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
\ No newline at end of file
+## [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index b6001998ed..d55a5400cc 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -17,7 +17,7 @@ ms.date: 02/05/2018
# Identity and access management
-Learn more about identity annd access management technologies in Windows 10 and Windows 10 Mobile.
+Learn more about identity and access management technologies in Windows 10 and Windows 10 Mobile.
| Section | Description |
|-|-|
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index df25b0e70c..59a2e070cb 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.date: 01/12/2018
ms.reviewer:
---
-# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
+# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
**Applies to**
- Windows 10
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 178333b713..3038aa0e34 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -59,7 +59,7 @@ Always On is a feature in Windows 10 which enables the active VPN profile to con
When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a toast notification for additional interaction.
-When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**.
+When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. Devices with multiple users have the same restriction: only one profile and therefore only one user will be able to use the Always On triggers.
Preserving user Always On preference
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 8029b9b1b9..acd70ac9ea 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -206,7 +206,7 @@ This command returns the volumes on the target, current encryption status and vo
For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you will need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You will need to reboot the computer when prompted to complete the encryption process.
-``` syntax
+```powershell
manage-bde –protectors -add C: -startupkey E:
manage-bde -on C:
```
@@ -237,7 +237,7 @@ Data volumes use the same syntax for encryption as operating system volumes but
A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
-``` syntax
+```powershell
manage-bde -protectors -add -pw C:
manage-bde -on C:
```
@@ -382,13 +382,13 @@ Occasionally, all protectors may not be shown when using Get-BitLockerVo
If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
-``` syntax
+```powershell
$vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
Using this information, we can then remove the key protector for a specific volume using the command:
-``` syntax
+```powershell
Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
```
> **Note:** The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
@@ -398,19 +398,19 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
To enable BitLocker with just the TPM protector. This can be done using the command:
-``` syntax
+```powershell
Enable-BitLocker C:
```
The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
-``` syntax
+```powershell
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest
```
### Data volume
Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins.
-``` syntax
+```powershell
$pw = Read-Host -AsSecureString
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
@@ -423,12 +423,12 @@ The ADAccountOrGroup protector is an Active Directory SID-based protector. This
To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
-``` syntax
+```powershell
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
```
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
-``` syntax
+```powershell
get-aduser -filter {samaccountname -eq "administrator"}
```
> **Note:** Use of this command requires the RSAT-AD-PowerShell feature.
@@ -437,7 +437,7 @@ get-aduser -filter {samaccountname -eq "administrator"}
In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
-``` syntax
+```powershell
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup ""
```
> **Note:** Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
@@ -469,7 +469,7 @@ Administrators who prefer a command line interface can utilize manage-bde to che
To check the status of a volume using manage-bde, use the following command:
-``` syntax
+```powershell
manage-bde -status
```
> **Note:** If no volume letter is associated with the -status command, all volumes on the computer display their status.
@@ -480,7 +480,7 @@ Windows PowerShell commands offer another way to query BitLocker status for volu
Using the Get-BitLockerVolume cmdlet, each volume on the system will display its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
-``` syntax
+```powershell
Get-BitLockerVolume -Verbose | fl
```
This command will display information about the encryption method, volume type, key protectors, etc.
@@ -506,12 +506,12 @@ Once decryption is complete, the drive will update its status in the control pan
Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
-``` syntax
+```powershell
manage-bde -off C:
```
This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command:
-``` syntax
+```powershell
manage-bde -status C:
```
### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
@@ -520,12 +520,12 @@ Decryption with Windows PowerShell cmdlets is straightforward, similar to manage
Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is:
-``` syntax
+```powershell
Disable-BitLocker
```
If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
-``` syntax
+```powershell
Disable-BitLocker -MountPoint E:,F:,G:
```
## See also
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index 70ba14d6a6..f8d1a6e1f9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -52,14 +52,14 @@ The `servermanager` Windows PowerShell module can use either the `Install-Window
By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell.
-``` syntax
+```powershell
Install-WindowsFeature BitLocker -WhatIf
```
The results of this command show that only the BitLocker Drive Encryption feature installs using this command.
To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command:
-``` syntax
+```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
```
@@ -75,7 +75,7 @@ The result of this command displays the following list of all the administration
The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is:
-``` syntax
+```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
```
@@ -85,7 +85,7 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -
The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
-``` syntax
+```powershell
Get-WindowsOptionalFeature -Online | ft
```
@@ -93,13 +93,13 @@ From this output, we can see that there are three BitLocker related optional fea
To install BitLocker using the `dism` module, use the following command:
-``` syntax
+```powershell
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
```
This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
-``` syntax
+```powershell
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All
```
## More information
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 6545ca0992..49b3e4f60f 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -313,7 +313,7 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many
- Verify the clients were rebooted after applying the policy.
- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer:
- ``` syntax
+ ```powershell
manage-bde –protectors –get C:
```
>**Note:** Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index b89ced627d..e6b90ed8bc 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -48,7 +48,7 @@ This is applicable to Azure Hybrid AD as well.
For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
-## Managing servers
+## Managing servers
Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index f21beec5e9..bde16da8e3 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -278,26 +278,25 @@ You can reset the recovery password in two ways:
1. Remove the previous recovery password
- ``` syntax
+ ```powershell
Manage-bde –protectors –delete C: –type RecoveryPassword
```
2. Add the new recovery password
- ``` syntax
+ ```powershell
Manage-bde –protectors –add C: -RecoveryPassword
-
```
3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password.
- ``` syntax
+ ```powershell
Manage-bde –protectors –get C: -Type RecoveryPassword
-
```
+
4. Backup the new recovery password to AD DS
- ``` syntax
+ ```powershell
Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
```
>**Warning:** You must include the braces in the ID string.
@@ -315,7 +314,7 @@ You can reset the recovery password in two ways:
You can use the following sample script to create a VBScript file to reset the recovery passwords.
-``` syntax
+```vb
' Target drive letter
strDriveLetter = "c:"
' Target computer name
@@ -404,7 +403,7 @@ The following sample script exports all previously-saved key packages from AD D
You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS.
-``` syntax
+```vb
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
@@ -551,7 +550,7 @@ The following sample script exports a new key package from an unlocked, encrypte
**cscript GetBitLockerKeyPackage.vbs -?**
-``` syntax
+```vb
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index 30fea18843..20ab73acfb 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -46,7 +46,7 @@ Listed below are examples of basic valid commands for operating system volumes.
A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
-``` syntax
+```powershell
manage-bde -status
```
This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
@@ -55,7 +55,7 @@ This command returns the volumes on the target, current encryption status, encry
The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
-``` syntax
+```powershell
manage-bde –protectors -add C: -startupkey E:
manage-bde -on C:
```
@@ -64,7 +64,7 @@ manage-bde -on C:
An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command:
-``` syntax
+```powershell
manage-bde -protectors -add C: -pw -sid
```
@@ -72,13 +72,13 @@ This command will require you to enter and then confirm the password protector b
On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
-``` syntax
+```powershell
manage-bde -on C:
```
This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
-``` syntax
+```powershell
manage-bde -protectors -get
```
### Using manage-bde with data volumes
@@ -87,7 +87,7 @@ Data volumes use the same syntax for encryption as operating system volumes but
A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
-``` syntax
+```powershell
manage-bde -protectors -add -pw C:
manage-bde -on C:
```
@@ -257,7 +257,7 @@ If you want to remove the existing protectors prior to provisioning BitLocker on
A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below:
-``` syntax
+```powershell
$vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
@@ -266,7 +266,7 @@ Using this, you can display the information in the $keyprotectors variable to de
Using this information, you can then remove the key protector for a specific volume using the command:
-``` syntax
+```powershell
Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
```
@@ -278,13 +278,13 @@ Using the BitLocker Windows PowerShell cmdlets is similar to working with the ma
The following example shows how to enable BitLocker on an operating system drive using only the TPM protector:
-``` syntax
+```powershell
Enable-BitLocker C:
-
```
+
In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
-``` syntax
+```powershell
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest
```
@@ -293,7 +293,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes
Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
SecureString value to store the user defined password.
-``` syntax
+```powershell
$pw = Read-Host -AsSecureString
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
@@ -306,7 +306,7 @@ The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2
To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
-``` syntax
+```powershell
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
```
@@ -314,7 +314,7 @@ For users who wish to use the SID for the account or group, the first step is to
>**Note:** Use of this command requires the RSAT-AD-PowerShell feature.
-``` syntax
+```powershell
get-aduser -filter {samaccountname -eq "administrator"}
```
@@ -322,7 +322,7 @@ get-aduser -filter {samaccountname -eq "administrator"}
The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
-``` syntax
+```powershell
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500
```
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index e19f192e4c..01c9fe213f 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -66,13 +66,13 @@ BitLocker encryption is available for disks before or after addition to a cluste
2. Ensure the disk is formatted NTFS and has a drive letter assigned to it.
3. Identify the name of the cluster with Windows PowerShell.
- ``` syntax
+ ```powershell
Get-Cluster
-
```
+
4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
- ``` syntax
+ ```powershell
Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
@@ -88,32 +88,32 @@ When the cluster service owns a disk resource already, it needs to be set into m
1. Install the BitLocker Drive Encryption feature if it is not already installed.
2. Check the status of the cluster disk using Windows PowerShell.
- ``` syntax
+ ```powershell
Get-ClusterResource "Cluster Disk 1"
```
3. Put the physical disk resource into maintenance mode using Windows PowerShell.
- ``` syntax
+ ```powershell
Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
```
4. Identify the name of the cluster with Windows PowerShell.
- ``` syntax
+ ```powershell
Get-Cluster
```
5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
- ``` syntax
+ ```powershell
Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
>**Warning:** You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
6. Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode:
- ``` syntax
+ ```powershell
Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource
```
@@ -146,7 +146,7 @@ You can also use manage-bde to enable BitLocker on clustered volumes. The steps
6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**".
CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below.
-``` syntax
+```powershell
manage-bde -status "C:\ClusterStorage\volume1"
```
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index a0d1ffbf6e..fbb2f028fd 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -24,11 +24,11 @@ The Windows 10 operating system improves most existing security features in the
**See also:**
- - [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
+- [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
- - [TPM Fundamentals](tpm-fundamentals.md)
+- [TPM Fundamentals](tpm-fundamentals.md)
- - [TPM Recommendations](tpm-recommendations.md)
+- [TPM Recommendations](tpm-recommendations.md)
## TPM Overview
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 08af5d2456..96b109ce32 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -172,6 +172,17 @@ You can try any of the processes included in these scenarios, but you should foc
+
+
Stop Google Drive from syncing WIP protected files and folders.
+
+
+
In silent configuration, add Google Drive to Protected Apps and set it to Deny. This way, Google Drive will not sync WIP protected files and folders.
>[!NOTE]
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index cf6a9871cb..5f3fdf726a 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -17,6 +17,7 @@
### [Attack surface reduction]()
+#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
@@ -58,46 +59,40 @@
#### [Machines list]()
##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
-##### [Alerts related to this machine](microsoft-defender-atp/investigate-machines.md#alerts-related-to-this-machine)
-##### [Machine timeline]()
-###### [View machine profile](microsoft-defender-atp/investigate-machines.md#machine-timeline)
-###### [Search for specific events](microsoft-defender-atp/investigate-machines.md#search-for-specific-events)
-###### [Filter events from a specific date](microsoft-defender-atp/investigate-machines.md#filter-events-from-a-specific-date)
-###### [Export machine timeline events](microsoft-defender-atp/investigate-machines.md#export-machine-timeline-events)
-###### [Navigate between pages](microsoft-defender-atp/investigate-machines.md#navigate-between-pages)
#### [Take response actions]()
##### [Take response actions on a machine]()
###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
+###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
+###### [Initiate Automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
+###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
-###### [Remove app restriction](microsoft-defender-atp/respond-machine-alerts.md#remove-app-restriction)
###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
-###### [Release machine from isolation](microsoft-defender-atp/respond-machine-alerts.md#release-machine-from-isolation)
####### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
##### [Take response actions on a file]()
###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-###### [Remove file from quarantine](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-quarantine)
-###### [Block files in your network](microsoft-defender-atp/respond-file-alerts.md#block-files-in-your-network)
-###### [Remove file from blocked list](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-blocked-list)
+###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
+###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
+###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
-####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
+###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
##### [Investigate entities using Live response]()
###### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
-######[Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
+###### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
### [Automated investigation and remediation]()
#### [Automated investigation and remediation overview](microsoft-defender-atp/automated-investigations.md)
#### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
-#####[Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
+##### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
### [Secure score](microsoft-defender-atp/overview-secure-score.md)
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
@@ -105,21 +100,19 @@
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
-
-##### [Advanced hunting schema reference]()
-###### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
-###### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
-###### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
-###### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
-###### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
-###### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
-###### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
-###### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
-###### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
-###### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
-###### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
-
-##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
+#### [Advanced hunting schema reference]()
+##### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
+##### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
+##### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
+##### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
+##### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
+##### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
+##### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
+##### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
+##### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
+##### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
+##### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
+#### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
#### [Custom detections]()
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
@@ -133,7 +126,7 @@
#### [Integrations]()
##### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
-##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
+##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
##### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
#### [Information protection in Windows overview]()
@@ -172,27 +165,17 @@
### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
## [Configure and manage capabilities]()
+
### [Configure attack surface reduction]()
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
-### [Configure and manage capabilities](microsoft-defender-atp/onboard.md)
-#### [Microsoft Defender Advanced Threat Protection for Mac](windows-defender-antivirus/microsoft-defender-atp-mac.md)
-##### [Deploy Microsoft Defender Advanced Threat Protection for Mac]()
-###### [Microsoft Intune-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md)
-###### [JAMF-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md)
-###### [Deployment with a different Mobile Device Management (MDM) system](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md)
-###### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
-##### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
-##### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
-##### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
-##### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)
-#### [Hardware-based isolation]()
-##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+### [Hardware-based isolation]()
+#### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-##### [Application isolation]()
-###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-###### [Application control](windows-defender-application-control/windows-defender-application-control.md)
+#### [Application isolation]()
+##### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
#### [Device control]()
##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
@@ -215,10 +198,15 @@
#### [Attack surface reduction controls]()
##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
+
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
+
+
+
### [Configure next generation protection]()
#### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+
#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
##### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
##### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
@@ -309,6 +297,21 @@
##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+
+### [Microsoft Defender Advanced Threat Protection for Mac](windows-defender-antivirus/microsoft-defender-atp-mac.md)
+#### [Deploy Microsoft Defender Advanced Threat Protection for Mac]()
+##### [Microsoft Intune-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md)
+##### [JAMF-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md)
+##### [Deployment with a different Mobile Device Management (MDM) system](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md)
+##### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
+#### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
+#### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
+#### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
+#### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)
+
+
+
+
### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
@@ -481,6 +484,7 @@
#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
### [Configure portal settings]()
+#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
#### [General]()
##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
@@ -510,7 +514,7 @@
##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
-#### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
+#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
## [Troubleshoot Microsoft Defender ATP]()
@@ -1049,7 +1053,7 @@
###### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
###### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
###### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
-###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
+###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
###### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
###### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index c5c5466214..f623632235 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -39,6 +39,26 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
- To audit failure events, click **Fail.**
- To audit all events, click **All.**
+
+
+6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include:
+
+ - **This folder only**
+ - **This folder, subfolders and files**
+ - **This folder and subfolders**
+ - **This folder and files**
+ - **Subfolders and files only**
+ - **Subfolders only**
+ - **Files only**
+
+7. By default, the selected **Basic Permissions** to audit are the following:
+ - **Read and execute**
+ - **List folder contents**
+ - **Read**
+ - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination.
+
+
+
> **Important:** Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
## Additional considerations
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
index 163c584492..2ca7cca35a 100644
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ b/windows/security/threat-protection/auditing/event-4612.md
@@ -30,9 +30,9 @@ There is no example of this event in this document.
***Event Schema:***
-*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. *
+*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.*
-*Number of audit messages discarded: %1 *
+*Number of audit messages discarded: %1*
*This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.*
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index be8925c8ba..9231f28b82 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -48,7 +48,7 @@ It appears that this event never occurs.
*LPC Server Port Name:%6*
-*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel." *
+*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel."*
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index f3c3ed088b..2ca7e8267c 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -138,7 +138,7 @@ This event generates when a logon session is created (on destination machine). I
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
-**Logon Information** \[Version 2\]**: **
+**Logon Information** \[Version 2\]**:**
- **Logon Type** \[Version 0, 1, 2\] \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field.
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index 95a2dfe34f..45dcd000c9 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -142,7 +142,7 @@ Before this event can generate, certain ACEs might need to be set in the object
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 8e1fe42fab..94d84a85cf 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -151,7 +151,7 @@ This event generates every time a new process starts.
- **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
-- **Token Elevation Type** \[Type = UnicodeString\]**: **
+- **Token Elevation Type** \[Type = UnicodeString\]**:**
- **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index f9b06a7a3b..f78b83ef3c 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -99,7 +99,7 @@ You will see unique event for every user.
- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-**New Right: **
+**New Right:**
- **User Right** \[Type = UnicodeString\]: the list of assigned user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index d009b73786..09c240e026 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -99,7 +99,7 @@ You will see unique event for every user.
- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-**Removed Right: **
+**Removed Right:**
- **User Right** \[Type = UnicodeString\]: the list of removed user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
index 38d46d5ace..c51f51c999 100644
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ b/windows/security/threat-protection/auditing/event-4715.md
@@ -100,7 +100,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
- **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index f04223bd5b..13f2c744aa 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were granted to mu
- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was granted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-**Access Granted: **
+**Access Granted:**
- **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index a86f9f5168..9bb398d835 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were removed for m
- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-**Access Removed: **
+**Access Removed:**
- **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 8597d956a6..faa3dcf853 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -266,7 +266,7 @@ For 4738(S): A user account was changed.
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Display Name** **User Principal Name** **Home Directory** **Home Drive** **Script Path** **Profile Path** **User Workstations** **Password Last Set** **Account Expires** **Primary Group ID Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. |
| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. |
-| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
+| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
- Consider whether to track the following user account control flags:
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index 22ae105d96..b39135ee00 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -276,7 +276,7 @@ For 4742(S): A computer account was changed.
| **Display Name** is not - **User Principal Name** is not - **Home Directory** is not - **Home Drive** is not - **Script Path** is not - **Profile Path** is not - **User Workstations** is not - **Account Expires** is not - **Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. |
| **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. |
| **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following: **516** for domain controllers **521** for read only domain controllers (RODCs) **515** for servers and workstations (domain computers) Other values should be monitored. |
-| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
+| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
- Consider whether to track the following account control flags:
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index 74ffbb09b0..efdf01da8a 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -116,7 +116,7 @@ Separate events will be generated for “Registry” and “File system” polic
| Job | Port | FilterConnectionPort | |
| ALPC Port | Semaphore | Adapter | |
-- **Object Name: **
+- **Object Name:**
- Key – if “Registry” Global Object Access Auditing policy was changed.
@@ -128,7 +128,7 @@ Separate events will be generated for “Registry” and “File system” polic
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index e62c824d10..62ced88fe8 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -44,7 +44,7 @@ There is no example of this event in this document.
*Security ID:%7*
-*New Flags:%8 *
+*New Flags:%8*
***Required Server Roles:*** Active Directory domain controller.
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index f74c140ce4..34454c6d14 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -159,7 +159,7 @@ This event doesn't generate for Active Directory objects.
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index cc73362f36..d385a72649 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -152,7 +152,7 @@ Resource attributes for file or folder can be changed, for example, using Window
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index f8dcd9f29b..3be7e9bec3 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -156,7 +156,7 @@ This event always generates, regardless of the object’s [SACL](https://msdn.mi
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index 81e6052b16..c7f46521ae 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -141,7 +141,7 @@ This event generates every time network share object was modified.
- **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index 696faaadce..f5ec73669e 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -177,7 +177,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
- ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
index 4d84e4bb68..c1f8d98680 100644
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ b/windows/security/threat-protection/auditing/event-5150.md
@@ -52,7 +52,7 @@ There is no example of this event in this document.
>
> *Layer Name:%9*
>
-> *Layer Run-Time ID:%10 *
+> *Layer Run-Time ID:%10*
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
index 25faaeb212..699a093def 100644
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ b/windows/security/threat-protection/auditing/event-5151.md
@@ -52,7 +52,7 @@ There is no example of this event in this document.
>
> *Layer Name:%9*
>
-> *Layer Run-Time ID:%10 *
+> *Layer Run-Time ID:%10*
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index d018fdee5e..7a379132bc 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -30,7 +30,7 @@ There is no example of this event in this document.
*BranchCache: Received an incorrectly formatted response while discovering availability of content.*
-*IP address of the client that sent this response:%1 *
+*IP address of the client that sent this response:%1*
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index 9f647bcec8..1ce4c083dd 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
-*BranchCache: Received invalid data from a peer. Data discarded. *
+*BranchCache: Received invalid data from a peer. Data discarded.*
*IP address of the client that sent this data:%1*
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index 5002d2167c..dde20455d3 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
-*BranchCache: The message to the hosted cache offering it data is incorrectly formatted. *
+*BranchCache: The message to the hosted cache offering it data is incorrectly formatted.*
*IP address of the client that sent this message: %1*
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index 29629cb6a7..e8020581ad 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
-*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data. *
+*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data.*
*Domain name of the hosted cache is:%1*
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index 0505b241b2..43228f26be 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
-*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. *
+*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.*
*Domain name of the hosted cache:%1*
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
index 8f28ea3891..e1f76dbf69 100644
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ b/windows/security/threat-protection/auditing/event-6409.md
@@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
-*BranchCache: A service connection point object could not be parsed. *
+*BranchCache: A service connection point object could not be parsed.*
*SCP object GUID: %1*
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index e8f58439cb..2517d1852c 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -32,8 +32,8 @@ Microsoft recommends [a layered approach to securing removable media](https://ak
- Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
- Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
-![Create device configuration profile]
-These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.
+>[!Note]
+>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.
## Prevent threats from removable storage
@@ -112,13 +112,13 @@ To prevent malware infections or data loss, an organization may restrict USB dri
| Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types |
| Prevent installation and usage of USB drives and other peripherals| Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types |
-All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/en-us/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
+All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
>[!Note]
>Using Intune, you can apply device configuration policies to AAD user and/or device groups.
-The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)).
+The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/previous-versions/dotnet/articles/bb530324(v=msdn.10)).
>[!Note]
>Always test and refine these settings with a pilot group of users and devices first before applying them in production.
@@ -131,9 +131,17 @@ One way to approach allowing installation and usage of USB drives and other peri
>[!Note]
>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
>1. Enable **prevent installation of devices not described by other policy settings** to all users.
->2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
+>2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
To enforce the policy for already installed devices, apply the prevent policies that have this setting.
+When configuring the allow device installation policy, you will need to allow all parent attributes as well. You can view the parents of a device by opening device manager and view by connection.
+
+
+
+In this example, the following classesneeded to be added: HID, Keboard, and {36fc9e60-c465-11cf-8056-444553540000}. More information on [Microsoft-provided USB drivers](https://docs.microsoft.com/windows-hardware/drivers/usbcon/supported-usb-classes).
+
+
+
If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device id that you want to add. For example,
1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
@@ -144,7 +152,7 @@ If you want to restrict to certain devices, remove the device setup class of the
>Using PowerShell: Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *
->For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers)
+>For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers)
### Prevent installation and usage of USB drives and other peripherals
If you want to prevent a device class or certain devices, you can use the prevent device installation policies.
@@ -155,46 +163,6 @@ If you want to prevent a device class or certain devices, you can use the preven
>[!Note]
>The prevent device installation policies take precedence over the allow device installation policies.
-### Security Baseline
-
-The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP. Configuration settings for baseline are located here in the edit profile page of the configuration settings.
-
-
-
-### Bluetooth
-
-Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked.
-
-
-
-
-
-
-## Detect plug and play connected events
-
-You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
-For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
-Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
-
-## Respond to threats
-
-Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
-
->[!NOTE]
->Always test and refine these settings with a pilot group of users and devices first before applying them in production.
-
-The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
-For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
-
-| Control | Description |
-|----------|-------------|
-| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage |
-| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware |
-| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
-
->[!NOTE]
->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
-
### Block installation and usage of removable storage
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
@@ -235,6 +203,60 @@ Windows Defender ATP blocks installation and usage of prohibited peripherals by
- [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class.
- [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses).
+### Security Baseline
+
+The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP. Configuration settings for baseline are located here in the edit profile page of the configuration settings.
+
+
+
+### Bluetooth
+
+Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked.
+
+
+
+## Detect plug and play connected events
+
+You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
+For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
+Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
+
+## Respond to threats
+
+Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
+
+>[!NOTE]
+>Always test and refine these settings with a pilot group of users and devices first before applying them in production.
+
+The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
+For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
+
+| Control | Description |
+|----------|-------------|
+| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage |
+| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware |
+| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
+
+>[!NOTE]
+>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
+
+### Custom Alerts and Response Actions
+
+You can create custom alerts and response actions with the WDATP Connector and the Custom Detection Rules:
+
+**Wdatp Connector response Actions:**
+
+**Investigate:** Initiate investigations, collect investigation package, and isolate a machine.
+
+**Threat Scanning** on USB devices
+
+**Restrict execution of all applications** on the machine except a predefined set
+MDATP connector is one of over 200 pre-defined connectors including Outlook, Teams, Slack, etc. Custom connectors can be built.
+- [More information on WDATP Connector Response Actions](https://docs.microsoft.com/connectors/wdatp/)
+
+**Custom Detection Rules Response Action:**
+Both machine and file level actions can be applied.
+- [More information on Custom Detection Rules Response Actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules)
## Related topics
@@ -242,6 +264,7 @@ Windows Defender ATP blocks installation and usage of prohibited peripherals by
- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning)
- [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation)
- [Perform a custom scan of a removable device](https://aka.ms/scanusb)
+- [Device Control PowerBI Template for custom reporting](https://github.com/microsoft/MDATP-PowerBI-Templates)
- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure)
diff --git a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg
new file mode 100644
index 0000000000..fd0666ef4c
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg differ
diff --git a/windows/security/threat-protection/device-control/images/devicesbyconnection.png b/windows/security/threat-protection/device-control/images/devicesbyconnection.png
new file mode 100644
index 0000000000..089a1b70fe
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicesbyconnection.png differ
diff --git a/windows/security/threat-protection/device-control/images/devicevendorid.jpg b/windows/security/threat-protection/device-control/images/devicevendorid.jpg
new file mode 100644
index 0000000000..10b636fc0d
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicevendorid.jpg differ
diff --git a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg b/windows/security/threat-protection/device-control/images/sortbyconnection.jpg
new file mode 100644
index 0000000000..c86eab1470
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/sortbyconnection.jpg differ
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index ac3e78109d..5548e18dd5 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -18,14 +18,14 @@ ms.reviewer:
On this page
- - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo)
- - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd)
- - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd)
- - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve)
- - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac)
- - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac)
- - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac)
- - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg)
+- [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo)
+- [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd)
+- [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd)
+- [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve)
+- [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac)
+- [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac)
+- [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac)
+- [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg)
Updated: March 2018
@@ -103,12 +103,12 @@ Rather than validate individual components and products, Microsoft chooses to va
The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules:
- - Schannel Security Package
- - Remote Desktop Protocol (RDP) Client
- - Encrypting File System (EFS)
- - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
- - BitLocker® Drive Full-volume Encryption
- - IPsec Settings of Windows Firewall
+- Schannel Security Package
+- Remote Desktop Protocol (RDP) Client
+- Encrypting File System (EFS)
+- Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
+- BitLocker® Drive Full-volume Encryption
+- IPsec Settings of Windows Firewall
## Information for System Integrators
@@ -145,12 +145,12 @@ While there are alternative methods for setting the FIPS local/group security po
The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy.
- - Schannel Security Package
- - Remote Desktop Protocol (RDP) Client
- - Encrypting File System (EFS)
- - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
- - BitLocker® Drive Full-volume Encryption
- - IPsec Settings of Windows Firewall
+- Schannel Security Package
+- Remote Desktop Protocol (RDP) Client
+- Encrypting File System (EFS)
+- Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.)
+- BitLocker® Drive Full-volume Encryption
+- IPsec Settings of Windows Firewall
#### Effects of Setting FIPS Local/Group Security Policy Flag
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 05cbed96aa..97a809c8de 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -141,7 +141,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
**[Microsoft Threat Protection](microsoft-defender-atp/threat-protection-integration.md)**
Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization.
- [Conditional access](microsoft-defender-atp/conditional-access.md)
-- [O365 ATP](microsoft-defender-atp/threat-protection-integration.md)
+- [Office 365 ATP](microsoft-defender-atp/threat-protection-integration.md)
- [Azure ATP](microsoft-defender-atp/threat-protection-integration.md)
- [Azure Security Center](microsoft-defender-atp/threat-protection-integration.md)
- [Skype for Business](microsoft-defender-atp/threat-protection-integration.md)
diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md
index ab6330fbe8..52771c8630 100644
--- a/windows/security/threat-protection/intelligence/coinminer-malware.md
+++ b/windows/security/threat-protection/intelligence/coinminer-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index 269b44ae01..31ef30f618 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index dbccc045ba..79047be15a 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
index 0367399251..1a57f85019 100644
--- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
+++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md
index cf077a0a1b..3e680879b5 100644
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: levinec
+ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md
index 4ae184bdda..19d1a76072 100644
--- a/windows/security/threat-protection/intelligence/developer-info.md
+++ b/windows/security/threat-protection/intelligence/developer-info.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: levinec
+ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md
index 047f060649..a7e660c5da 100644
--- a/windows/security/threat-protection/intelligence/developer-resources.md
+++ b/windows/security/threat-protection/intelligence/developer-resources.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
ms.pagetype: security
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md
index 0716cab937..beff687643 100644
--- a/windows/security/threat-protection/intelligence/exploits-malware.md
+++ b/windows/security/threat-protection/intelligence/exploits-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index 6e0e5385e8..62bcff1173 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md
index f26e686027..d4c3119d19 100644
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
index 83a0c0a704..2a52b19798 100644
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index 27d9e2a4fe..4f5d3c7278 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
index d916ad8a4b..59d35b2c35 100644
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
index b7eaea126c..5ebb6aa87a 100644
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md
index 528be6dda2..3dc3456226 100644
--- a/windows/security/threat-protection/intelligence/rootkits-malware.md
+++ b/windows/security/threat-protection/intelligence/rootkits-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index 07018d689f..d3bd25dce2 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
index 54f39ce774..545a2d7f62 100644
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md
index 6ea3d8c4e2..7530ec2c2e 100644
--- a/windows/security/threat-protection/intelligence/supply-chain-malware.md
+++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
index 4744f0f0e3..35942059ca 100644
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
index a786d8ecd1..c1d189ea17 100644
--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: high
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md
index 918006ff72..c9f64fecd6 100644
--- a/windows/security/threat-protection/intelligence/trojans-malware.md
+++ b/windows/security/threat-protection/intelligence/trojans-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md
index 1be49ef74a..220e69b806 100644
--- a/windows/security/threat-protection/intelligence/understanding-malware.md
+++ b/windows/security/threat-protection/intelligence/understanding-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md
index d8e216919b..28718f36f6 100644
--- a/windows/security/threat-protection/intelligence/unwanted-software.md
+++ b/windows/security/threat-protection/intelligence/unwanted-software.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
index b899f41868..82c6baab29 100644
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
index 50fe7168fa..38ad06123a 100644
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index aca7c0581d..6c51864314 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
index fe729da635..0f5c27cc7e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index a3455dcc67..652e76f78d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -38,7 +38,7 @@ On the top navigation you can:
-## Sort, filter, and group the alerts queue
+## Sort, filter, and group the alerts queue
You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
### Severity
@@ -58,10 +58,10 @@ The Windows Defender AV threat severity represents the absolute severity of the
The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization.
So, for example:
-- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
-- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
-- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
-- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
+- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
+- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
+- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
+- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
#### Understanding alert categories
We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
index a3d83d4880..b4aec2ce09 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index 4c97c07b2e..9706e81443 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -28,7 +28,7 @@ ms.date: 10/16/2017
Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
-## Alert API fields and portal mapping
+## Alert API fields and portal mapping
The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
index 122b141332..e526a20669 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
@@ -22,6 +22,12 @@ ms.topic: article
Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
+### Throttling limits
+
+Name | Calls | Renewal period
+:---|:---|:---
+API calls per connection | 100 | 60 seconds
+
## Legal Notices
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index e97f64fda4..3fd9f905d0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index 1eadc36802..f6f11da946 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -22,7 +22,7 @@ ms.date: 04/11/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+> Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be available for a few weeks.
The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over the security posture of your organization based on security best practices. High configuration score means your endpoints are more resilient from cybersecurity threat attacks.
@@ -34,6 +34,8 @@ Your configuration score widget shows the collective security configuration stat
- Security controls
## How it works
+>[!NOTE]
+> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
The data in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
index 0911a2d722..9356c13eb8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
index 0d8f88aa59..706f90cf75 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
index d12bc037b7..406b15ff97 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
@@ -1,6 +1,8 @@
---
title: Configure managed security service provider support
-description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
+
+description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP
+
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -21,9 +23,11 @@ ms.date: 09/03/2018
# Configure managed security service provider integration
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
+
[!include[Prerelease information](prerelease.md)]
@@ -35,19 +39,23 @@ You'll need to take the following configuration steps to enable the managed secu
> - MSSP customers: Organizations that engage the services of MSSPs.
The integration will allow MSSPs to take the following actions:
-- Get access to MSSP customer's Microsoft Defender Security Center portal
+
+- Get access to MSSP customer's Windows Defender Security Center portal
- Get email notifications, and
- Fetch alerts through security information and event management (SIEM) tools
-Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal.
+Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal.
+
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
In general, the following configuration steps need to be taken:
-- **Grant the MSSP access to Microsoft Defender Security Center**
-This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant.
+
+- **Grant the MSSP access to Windows Defender Security Center**
+This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant.
+
- **Configure alert notifications sent to MSSPs**
This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
@@ -61,31 +69,36 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
## Grant the MSSP access to the portal
->[!NOTE]
+
+>[!NOTE]
> These set of steps are directed towards the MSSP customer.
> Access to the portal can only be done by the MSSP customer.
-As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center.
+As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center.
+
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality.
You'll need to take the following 2 steps:
- Add MSSP user to your tenant as a guest user
-- Grant MSSP user access to Microsoft Defender Security Center
+
+- Grant MSSP user access to Windows Defender Security Center
+
### Add MSSP user to your tenant as a guest user
Add a user who is a member of the MSSP tenant to your tenant as a guest user.
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
-
-### Grant MSSP user access to Microsoft Defender Security Center
-Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
+
+### Grant MSSP user access to Windows Defender Security Center
+Grant the guest user access and permissions to your Windows Defender Security Center tenant.
Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
-If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
+If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac.md).
+
>[!NOTE]
>There is no difference between the Member user and Guest user roles from RBAC perspective.
@@ -94,12 +107,14 @@ It is recommended that groups are created for MSSPs to make authorization access
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
-## Access the Microsoft Defender Security Center MSSP customer portal
+
+## Access the Windows Defender Security Center MSSP customer portal
->[!NOTE]
+>[!NOTE]
>These set of steps are directed towards the MSSP.
-By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
+By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
+
MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
@@ -123,11 +138,13 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
+
For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
+
These check boxes must be checked:
- - **Include organization name** - The customer name will be added to email notifications
- - **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
+- **Include organization name** - The customer name will be added to email notifications
+- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
## Fetch alerts from MSSP customer's tenant into the SIEM system
@@ -141,46 +158,49 @@ To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
-
-Step 3: Whitelist your application on Microsoft Defender Security Center
+
+Step 3: Whitelist your application on Windows Defender Security Center
+
### Step 1: Create an application in Azure Active Directory (Azure AD)
-You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
+
+You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant.
+
1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
2. Select **Azure Active Directory** > **App registrations**.
-3. Click **New application registration**.
+
+3. Click **New registration**.
+
4. Specify the following values:
- Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name)
- - Application type: Web app / API
- - Sign-on URL: `https://SiemMsspConnector`
+
+ - Supported account types: Account in this organizational directory only
+ - Redirect URI: Select Web and type `https:///SiemMsspConnector`(replace with the tenant name)
-5. Click **Create**. The application is displayed in the list of applications you own.
+5. Click **Register**. The application is displayed in the list of applications you own.
-6. Select the application, then click **Settings** > **Properties**.
+6. Select the application, then click **Overview**.
-7. Copy the value from the **Application ID** field.
+7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
-8. Change the value in the **App ID URI** to: `https:///SiemMsspConnector` (replace \ with the tenant name.
+8. Select **Certificate & secrets** in the new application panel.
-9. Ensure that the **Multi-tenanted** field is set to **Yes**.
+9. Click **New client secret**.
-10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`.
-
-11. Click **Save**.
-
-12. Select **Keys** and specify the following values:
- Description: Enter a description for the key.
- Expires: Select **In 1 year**
-13. Click **Save**. Save the value is a safe place, you'll need this
+
+10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
+
### Step 2: Get access and refresh tokens from your customer's tenant
This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
@@ -248,17 +268,20 @@ After providing your credentials, you'll need to grant consent to the applicatio
`Set-ExecutionPolicy -ExecutionPolicy Bypass`
6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId `
-
- - Replace \ with the Application ID you got from the previous step.
- - Replace \ with the application key you created from the previous step.
- - Replace \ with your customer's tenant ID.
+
+ - Replace \ with the **Application (client) ID** you got from the previous step.
+ - Replace \ with the **Client Secret** you created from the previous step.
+ - Replace \ with your customer's **Tenant ID**.
+
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
-### Step 3: Whitelist your application on Microsoft Defender Security Center
-You'll need to whitelist the application you created in Microsoft Defender Security Center.
+
+### Step 3: Whitelist your application on Windows Defender Security Center
+You'll need to whitelist the application you created in Windows Defender Security Center.
+
You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you.
@@ -272,12 +295,15 @@ You'll need to have **Manage portal system settings** permission to whitelist th
5. Click **Authorize application**.
-You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
+
+You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
+
- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value.
- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
## Fetch alerts from MSSP customer's tenant using APIs
+
For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
## Related topics
@@ -285,4 +311,5 @@ For information on how to fetch alerts using REST API, see [Pull alerts using RE
- [Manage portal access using RBAC](rbac.md)
- [Pull alerts to your SIEM tools](configure-siem.md)
- [Pull alerts using REST API](pull-alerts-using-rest-api.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index dba3eaf576..71cc754e25 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -36,17 +36,17 @@ The embedded Microsoft Defender ATP sensor runs in system context using the Loca
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
- - Auto-discovery methods:
- - Transparent proxy
- - Web Proxy Auto-discovery Protocol (WPAD)
+- Auto-discovery methods:
+ - Transparent proxy
+ - Web Proxy Auto-discovery Protocol (WPAD)
> [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
- - Manual static proxy configuration:
- - Registry based configuration
- - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
+- Manual static proxy configuration:
+ - Registry based configuration
+ - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
@@ -182,4 +182,4 @@ However, if the connectivity check results indicate a failure, an HTTP error is
## Related topics
- [Onboard Windows 10 machines](configure-endpoints.md)
-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
\ No newline at end of file
+- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index c100b9ddf2..f4a2b266d9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -61,7 +61,7 @@ machineId | String | Id of the machine on which the event was identified. **Requ
severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
title | String | Title for the alert. **Required**.
description | String | Description of the alert. **Required**.
-recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert.
+recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
reportId | String | The reportId, as obtained from the advanced query. **Required**.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index c3eaee164d..55180b158c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deprecate.md b/windows/security/threat-protection/microsoft-defender-atp/deprecate.md
index da3414815c..20b16719e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deprecate.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deprecate.md
@@ -2,7 +2,7 @@
ms.date: 10/17/2018
ms.reviewer:
manager: dansimp
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
---
> [!WARNING]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index 1939474a15..c589b30285 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index 9b2eecd333..14ad8b673c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -49,19 +49,19 @@ When you add a machine to your environment, Microsoft Defender ATP sets up a wel
The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side.
- The following security components are pre-configured in the test machines:
+ The following security components are pre-configured in the test machines:
- - [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
- - [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
- - [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
- - [Exploit Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection)
- - [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)
- - [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus)
- - [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)
- - [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
+- [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
+- [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
+- [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
+- [Exploit Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection)
+- [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)
+- [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus)
+- [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)
+- [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
- >[!NOTE]
- > Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+>[!NOTE]
+> Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index 6d064aed64..a2e28ff082 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -62,29 +62,29 @@ This page explains how to create an AAD application, get an access token to Micr
4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission:
- - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
+ - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
- - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+ - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
- 
+ 
- - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions**
+ - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions**
- 
+ 
- - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example!
+ - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example!
- For instance,
+ For instance,
- - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
- - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+ - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+ - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
+ - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
- - Click **Grant consent**
+ - Click **Grant consent**
- **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
+ **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
- 
+ 
6. Write down your application ID and your tenant ID:
@@ -102,42 +102,42 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
- Copy/Paste the below class in your application.
- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token.
- ```
- namespace WindowsDefenderATP
- {
- using System.Net.Http;
- using System.Text;
- using System.Threading.Tasks;
- using Newtonsoft.Json.Linq;
+ ```csharp
+ namespace WindowsDefenderATP
+ {
+ using System.Net.Http;
+ using System.Text;
+ using System.Threading.Tasks;
+ using Newtonsoft.Json.Linq;
- public static class WindowsDefenderATPUtils
- {
- private const string Authority = "https://login.windows.net";
+ public static class WindowsDefenderATPUtils
+ {
+ private const string Authority = "https://login.windows.net";
- private const string WdatpResourceId = "https://api.securitycenter.windows.com";
+ private const string WdatpResourceId = "https://api.securitycenter.windows.com";
- public static async Task AcquireUserTokenAsync(string username, string password, string appId, string tenantId)
- {
- using (var httpClient = new HttpClient())
- {
- var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}";
+ public static async Task AcquireUserTokenAsync(string username, string password, string appId, string tenantId)
+ {
+ using (var httpClient = new HttpClient())
+ {
+ var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}";
- var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded");
+ var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded");
- using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false))
- {
- response.EnsureSuccessStatusCode();
+ using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false))
+ {
+ response.EnsureSuccessStatusCode();
- var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
+ var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
- var jObject = JObject.Parse(json);
+ var jObject = JObject.Parse(json);
- return jObject["access_token"].Value();
- }
- }
- }
- }
- }
+ return jObject["access_token"].Value();
+ }
+ }
+ }
+ }
+ }
```
## Validate the token
@@ -156,16 +156,17 @@ Sanity check to make sure you got a correct token:
- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
- Example of sending a request to get a list of alerts **using C#**
- ```
- var httpClient = new HttpClient();
- var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
+ ```csharp
+ var httpClient = new HttpClient();
- request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+ var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
- var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
+ request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
- // Do something useful with the response
+ var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
+
+ // Do something useful with the response
```
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
index 880b4e2b38..60ecb971c5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
index 58362fcab8..31fa70aa03 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -26,9 +26,9 @@ ms.date: 09/24/2018
Full scenario using multiple APIs from Microsoft Defender ATP.
In this section we share PowerShell samples to
- - Retrieve a token
- - Use token to retrieve the latest alerts in Microsoft Defender ATP
- - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL.
+- Retrieve a token
+- Use token to retrieve the latest alerts in Microsoft Defender ATP
+- For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL.
>**Prerequisite**: You first need to [create an app](apis-intro.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
index c8029a1428..0a52c8cea1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index c166277e71..fbcee47cf2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
index bd6891a8c2..badfd2aed7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
@@ -53,8 +53,8 @@ Do you expect a machine to be in ‘Active’ status? [Open a support ticket](ht
## Misconfigured machines
Misconfigured machines can further be classified to:
- - Impaired communications
- - No sensor data
+- Impaired communications
+- No sensor data
### Impaired communications
This status indicates that there's limited communication between the machine and the service.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started.md b/windows/security/threat-protection/microsoft-defender-atp/get-started.md
deleted file mode 100644
index e9af976de1..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-started.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Get started with Microsoft Defender Advanced Threat Protection
-ms.reviewer:
-description: Learn about the minimum requirements and initial steps you need to take to get started with Microsoft Defender ATP.
-keywords: get started, minimum requirements, setup, subscription, features, data storage, privacy, user access
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 11/20/2018
----
-
-# Get started with Microsoft Defender Advanced Threat Protection
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->[!TIP]
->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
-
-Learn about the minimum requirements and initial steps you need to take to get started with Microsoft Defender ATP.
-
-The following capabilities are available across multiple products that make up the Microsoft Defender ATP platform.
-
-**Threat & Vulnerability Management**
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. This infrastructure correlates endpoint detection and response (EDR) insights with endpoint vulnerabilities real-time, thus reducing organizational vulnerability exposure and increasing threat resilience.
-
-**Attack surface reduction**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-
-**Next generation protection**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
-
-**Endpoint detection and response**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
-
-**Auto investigation and remediation**
-In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-
-**Secure score**
-Microsoft Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
-
-**Microsoft Threat Experts**
-Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
-
-**Advanced hunting**
-Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Microsoft Defender Security Center.
-
-**Management and APIs**
-Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
-
-**Microsoft threat protection**
-Bring the power of Microsoft Threat Protection to your organization.
-
-## In this section
-Topic | Description
-:---|:---
-[Minimum requirements](minimum-requirements.md) | Learn about the requirements for onboarding machines to the platform.
-[Validate licensing and complete setup](licensing.md) | Get guidance on how to check that licenses have been provisioned to your organization and how to access the portal for the first time.
-[Preview features](preview.md) | Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
-[Data storage and privacy](data-storage-privacy.md) | Explains the data storage and privacy details related to Microsoft Defender ATP.
-[Assign user access to the portal](assign-portal-access.md) | Set permissions to manage who can access the portal. You can set basic permissions or set granular permissions using role-based access control (RBAC).
-[Evaluate Microsoft Defender ATP](evaluate-atp.md) | Evaluate the various capabilities in Microsoft Defender ATP and test features out.
-[Access the Microsoft Defender Security Center Community Center](community.md) | The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
index 2b5551a0bb..92bc4c7650 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
@@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
GET /api/users/{id}/alerts
```
-**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) **
+**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)**
## Request headers
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
index 341c605bbb..ca042a7e99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
@@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
GET /api/users/{id}/machines
```
-**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) **
+**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines)**
## Request headers
diff --git a/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md
deleted file mode 100644
index 3defa8692a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Incidents queue in Microsoft Defender ATP
-description:
-keywords: incidents, aggregate, investigations, queue, ttp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Incidents in Microsoft Defender ATP
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Microsoft Defender ATP will quickly trigger alerts and launch matching automatic investigations.
-
-Microsoft Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
-
-
-## In this section
-
-Topic | Description
-:---|:---
-[View and organize the Incidents queue](view-incidents-queue.md)| See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
-[Manage incidents](manage-incidents.md) | Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions.
-[Investigate incidents](investigate-incidents.md)| See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
index ee65c7302f..dcc141f161 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -45,8 +45,8 @@ Sensitivity labels classify and help protect sensitive content.
Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories:
-- Default
-- Custom
+- Default
+- Custom
Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
index 095c078b1f..9747f2d0ae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
@@ -61,8 +61,8 @@ Comment | String | Comment to associate with the action. **Required**.
IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'.
**IsolationType** controls the type of isolation to perform and can be one of the following:
-- Full – Full isolation
-- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details)
+- Full – Full isolation
+- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details)
## Response
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
index fe12e8ee4e..eb66c2d069 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
@@ -2,7 +2,7 @@
ms.date: 08/28/2017
ms.reviewer:
manager: dansimp
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
---
>[!Note]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index 3113e4b4f9..36e579945b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -36,7 +36,7 @@ Selecting an alert in either of those places brings up the **Alert management pa
You can create a new incident from the alert or link to an existing incident.
## Assign alerts
-If an alert is no yet assigned, you can select **Assign to me** to assign the alert to yourself.
+If an alert is not yet assigned, you can select **Assign to me** to assign the alert to yourself.
## Suppress alerts
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md b/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md
deleted file mode 100644
index c852df752c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Manage allowed/blocked lists
-description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.
-keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Manage allowed/blocked lists
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-
-Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
-
-On the top navigation you can:
-- Import a list
-- Add an indicator
-- Customize columns to add or remove columns
-- Export the entire list in CSV format
-- Select the items to show per page
-- Navigate between pages
-- Apply filters
-
-## Create an indicator
-1. In the navigation pane, select **Settings** > **Allowed/blocked list**.
-
-2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities:
- - File hash
- - IP address
- - URLs/Domains
-
-3. Click **Add indicator**.
-
-4. For each attribute specify the following details:
- - Indicator - Specify the entity details and define the expiration of the indicator.
- - Action - Specify the action to be taken and provide a description.
- - Scope - Define the scope of the machine group.
-
-5. Review the details in the Summary tab, then click **Save**.
-
-
->[!NOTE]
->Blocking IPs, domains, or URLs is currently available on limited preview only.
->This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon.
->As it is not yet generally available, when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its decision to automatically remediate (blocked list) or skip (allowed list) the entity.
-
-
-## Manage indicators
-1. In the navigation pane, select **Settings** > **Allowed/blocked list**.
-
-2. Select the tab of the entity type you'd like to manage.
-
-3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
-
-## Import a list
-You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
-
-Download the sample CSV to know the supported column attributes.
-
-
-## Related topics
-- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
index 1dc3f9be1f..2e124ba8aa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index dce7f4aaf2..a5f617c624 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
index 25c32174b9..c4c4ca728b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
index 5f0af03683..b5bb4b00fd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
index 352d6289b9..d7197b2574 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
index bb96ea1b7e..f799ef59bc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
index 66a4fdedf6..ada385d846 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
@@ -32,13 +32,13 @@ ms.topic: conceptual
Follow the corresponding instructions depending on your preferred deployment method.
## Offboard Windows 10 machines
- - [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script)
- - [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy)
- - [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager)
- - [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools)
+- [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script)
+- [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy)
+- [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager)
+- [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools)
## Offboard Servers
- - [Offboard servers](configure-server-endpoints.md#offboard-servers)
+- [Offboard servers](configure-server-endpoints.md#offboard-servers)
## Offboard non-Windows machines
- - [Offboard non-Windows machines](configure-endpoints-non-windows.md#offboard-non-windows-machines)
+- [Offboard non-Windows machines](configure-endpoints-non-windows.md#offboard-non-windows-machines)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
similarity index 100%
rename from windows/security/threat-protection/microsoft-defender-atp/oldTOC.md
rename to windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
index e520f70a7f..ff5e1ed7d9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
index f28db7412f..0d041b05e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -33,8 +33,8 @@ Topic | Description
[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
[Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization.
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
-Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP.
-Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
+[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
+[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 5de1f9d993..71c91ea9c0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -9,8 +9,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
+ms.author: deniseb
+author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -23,15 +23,14 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in your organization from new and emerging threats.
+Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
-| Capability | Description |
+| Article | Description |
|------------|-------------|
-| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protects and maintains the integrity of the system as it starts and while it's running, and validates system integrity through local and remote attestation. In addition, container isolation for Microsoft Edge helps protect host operating system from malicious websites. |
-| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. |
-| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) | Applies exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV) |
-| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) | Extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV. |
-| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV. |
-| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) | reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV. |
-| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Host-based, two-way network traffic filtering that blocks unauthorized network traffic flowing into or out of the local device. |
-
+| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
+| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. |
+| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
+| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
+| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) |
+| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) |
+| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
index d9d1de552d..9579771415 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
index 9065093f4d..8343dc2003 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
index 94b82c67e2..344d125399 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
@@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.author: mjcaparas
+ms.author: macapara
ms.date: 09/07/2018
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
index 5771d8afef..dcaa31ea84 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
@@ -21,7 +21,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!NOTE]
+>[!NOTE]
> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
@@ -79,11 +79,11 @@ Within the tile, you can click on each control to see the recommended optimizati
Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
-## Related topic
+## Related topic
- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
+- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md
index b2d8409667..e649152e6b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
index 89fd91c5ae..8dea2272e6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
index 8fe6ed0a0c..e5f2d93731 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
@@ -16,6 +16,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
+
# Configure Microsoft Defender Security Center settings
**Applies to:**
@@ -34,4 +35,3 @@ Permissions | Manage portal access using RBAC as well as machine groups.
APIs | Enable the threat intel and SIEM integration.
Rules | Configure suppressions rules and automation settings.
Machine management | Onboard and offboard machines.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md
index a5949f146b..01d6034c12 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md
@@ -2,7 +2,7 @@
ms.date: 08/28/2017
ms.reviewer:
manager: dansimp
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 230e57d75e..3910cda2ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -63,7 +63,7 @@ This action takes effect on machines with Windows 10, version 1703 or later, whe
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- - **Search box** - select File from the drop–down menu and enter the file name
+ - **Search box** - select **File** from the drop–down menu and enter the file name
2. Go to the top bar and select **Stop and Quarantine File**.
@@ -98,7 +98,7 @@ You can roll back and remove a file from quarantine if you’ve determined that
1. Open an elevated command–line prompt on the machine:
- a. Go to **Start** and type cmd.
+ a. Go to **Start** and type _cmd_.
b. Right–click **Command prompt** and select **Run as administrator**.
@@ -157,6 +157,20 @@ When you select this action, a fly-out will appear. From the fly-out, you can re
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
+## Check activity details in Action center
+
+The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details:
+
+- Investigation package collection
+- Antivirus scan
+- App restriction
+- Machine isolation
+
+All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
+
+
+
+
## Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
index 5bb659b44e..d9cfb97c3f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
@@ -96,7 +96,7 @@ The package contains the following folders:
|:---|:---------|
|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” |
|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). |
-|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections. - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack. - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. - FirewassExecutionLog.txt and pfirewall.log |
+|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections. - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack. - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. - FirewassExecutionLog.txt and pfirewall.log |
| Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. |
| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. |
| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/response-actions.md b/windows/security/threat-protection/microsoft-defender-atp/response-actions.md
deleted file mode 100644
index 36b3d69003..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/response-actions.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: Take response actions on files and machines in Microsoft Defender ATP
-description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package.
-keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Take response actions in Microsoft Defender ATP
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responseactions-abovefoldlink)
-
-You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
-
->[!NOTE]
-> The machine related response actions are only available for machines on Windows 10 (version 1703 or higher), Windows Server, version 1803 and Windows Server 2019.
-
-## In this section
-Topic | Description
-:---|:---
-[Take response actions on a machine](respond-machine-alerts.md)| Isolate machines or collect an investigation package.
-[Take response actions on a file](respond-file-alerts.md)| Stop and quarantine files or block a file from your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index eba85f1a0f..cffc0ad85b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
index 409f485d23..12a021ec3d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md
index 65e723e229..9febf311eb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md
index 01dbb65739..c292829e80 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
index bd86e1319d..a5154e0ab4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
index bcceb8902e..95fe03d4b0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
index d9a36f6795..2251ec4e49 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Run a detection test on a newly onboarded Microsoft Defender ATP machine
+# Run a detection test on a newly onboarded Microsoft Defender ATP machine
**Applies to:**
- Supported Windows 10 versions
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
index f7c9eff384..731963f220 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
@@ -75,7 +75,7 @@ The **Sensor health** tile provides information on the individual machine’s ab
There are two status indicators that provide information on the number of machines that are not reporting properly to the service:
-- **Misconfigured** – These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
+- **Misconfigured** – These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
index 7b758a94bc..0be4b4e073 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
@@ -44,9 +44,9 @@ In the context of Microsoft Defender ATP, alert definitions are containers for I
Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Microsoft Defender ATP console.
Here is an example of an IOC:
- - Type: Sha1
- - Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
- - Action: Equals
+- Type: Sha1
+- Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
+- Action: Equals
IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
index e620a05684..d527fa77fd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -18,7 +18,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-# Microsoft Threat Protection
+# Microsoft Defender ATP in Microsoft Threat Protection
**Applies to:**
@@ -51,6 +51,9 @@ Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals t
## Office 365 Advanced Threat Protection (Office 365 ATP)
[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
+>[!NOTE]
+> Office 365 ATP data is displayed for events within the last 30 days. For alerts, Office 365 ATP data is displayed based on first activity time. After that, the data is no longer available in Office 365 ATP.
+
## Skype for Business
The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index f981d9c12a..5f81c16bed 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -25,20 +25,22 @@ ms.topic: troubleshooting
- Windows Server 2016
-
You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines.
+
+## Troubleshoot issues with onboarding tools
+
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem.
-## Troubleshoot onboarding when deploying with Group Policy
+### Troubleshoot onboarding when deploying with Group Policy
Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not.
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).
If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
-## Troubleshoot onboarding issues when deploying with System Center Configuration Manager
+### Troubleshoot onboarding issues when deploying with System Center Configuration Manager
When onboarding machines using the following versions of System Center Configuration Manager:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
@@ -52,7 +54,7 @@ If the deployment fails, you can check the output of the script on the machines.
If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
-## Troubleshoot onboarding when deploying with a script
+### Troubleshoot onboarding when deploying with a script
**Check the result of the script on the machine**:
1. Click **Start**, type **Event Viewer**, and press **Enter**.
@@ -76,7 +78,7 @@ Event ID | Error Type | Resolution steps
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
65 | Insufficient privileges| Run the script again with administrator privileges.
-## Troubleshoot onboarding issues using Microsoft Intune
+### Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment.
@@ -296,9 +298,9 @@ You might also need to check the following:
## Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- - Windows 10 Enterprise E5
- - Windows 10 Education E5
- - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
+- Windows 10 Enterprise E5
+- Windows 10 Education E5
+- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
deleted file mode 100644
index 0cf451828c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: Troubleshoot Microsoft Defender Advanced Threat Protection capabilities
-description: Find solutions to issues on sensor state, service issues, or other Microsoft Defender ATP capabilities
-keywords: troubleshoot, sensor, state, service, issues, attack surface reduction, next generation protection
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: troubleshooting
----
-
-# Troubleshoot Microsoft Defender Advanced Threat Protection
-
-Troubleshoot issues that might arise as you use Microsoft Defender ATP capabilities.
-
-## In this section
-Topic | Description
-:---|:---
-Troubleshoot sensor state | Find solutions for issues related to the Microsoft Defender ATP sensor
-Troubleshoot service issues | Fix issues related to the Microsoft Defender Advanced Threat service
-Troubleshoot attack surface reduction | Fix issues related to network protection and attack surface reduction rules
-Troubleshoot next generation protection | If you encounter a problem with antivirus, you can search the tables in this topic to find a matching issue and potential solution
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-apis.md b/windows/security/threat-protection/microsoft-defender-atp/use-apis.md
deleted file mode 100644
index 12a8e4cc4e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/use-apis.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Microsoft Defender ATP APIs
-ms.reviewer:
-description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
-keywords: apis, api, wdatp, open api, windows defender atp api, public api, alerts, machine, user, domain, ip, file
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-search.appverid: met150
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Microsoft Defender ATP APIs
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-## In this section
-Topic | Description
-:---|:---
-[Microsoft Defender ATP API overview](apis-intro.md) | Learn how to access Microsoft Defender ATP APIs.
-[Supported Microsoft Defender ATP APIs](exposed-apis-list.md) | Learn more about how you can run API calls to individual supported entities, and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts.md), [domain related alerts](get-domain-related-alerts.md), or even actions such as [isolate machine](isolate-machine.md).
-How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell. Other examples include [schedule advanced hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) or [OData queries](exposed-apis-odata-samples.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index f78005ca01..668831d19d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -34,31 +34,31 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
3. Enter the role name, description, and permissions you'd like to assign to the role.
- - **Role name**
- - **Description**
- - **Permissions**
- - **View data** - Users can view information in the portal.
- - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
- - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
-
- >[!NOTE]
- >This setting is only available in the Microsoft Defender ATP administrator (default) role.
+ - **Role name**
+ - **Description**
+ - **Permissions**
+ - **View data** - Users can view information in the portal.
+ - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
+ - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
+ - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
- - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
+ > [!NOTE]
+ > This setting is only available in the Microsoft Defender ATP administrator (default) role.
- - **Live response capabilities** - Users can take basic or advanced live response commands.
- - Basic commands allow users to:
- - Start a live response session
- - Run read only live response commands on a remote machine
- - Advanced commands allow users to:
- - Run basic actions
- - Download a file from the remote machine
- - View a script from the files library
- - Run a script on the remote machine from the files library take read and write commands.
-
- For more information on the available commands, see [Investigate machines using Live response](live-response.md).
-
+ - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
+
+ - **Live response capabilities** - Users can take basic or advanced live response commands.
+ - Basic commands allow users to:
+ - Start a live response session
+ - Run read only live response commands on a remote machine
+ - Advanced commands allow users to:
+ - Run basic actions
+ - Download a file from the remote machine
+ - View a script from the files library
+ - Run a script on the remote machine from the files library take read and write commands.
+
+ For more information on the available commands, see [Investigate machines using Live response](live-response.md).
+
4. Click **Next** to assign the role to an Azure AD group.
5. Use the filter to select the Azure AD group that you'd like to add to this role.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 994b79b7b6..b3c05cd9a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -79,8 +79,8 @@ For more information preview features, see [Preview features](https://docs.micro
Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
- New in Windows 10 version 1809, there are two new attack surface reduction rules:
- - Block Adobe Reader from creating child processes
- - Block Office communication application from creating child processes.
+ - Block Adobe Reader from creating child processes
+ - Block Office communication application from creating child processes.
- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
@@ -95,8 +95,8 @@ Query data using Advanced hunting in Microsoft Defender ATP.
- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
New attack surface reduction rules:
- - Use advanced protection against ransomware
- - Block credential stealing from the Windows local security authority subsystem (lsass.exe)
+ - Use advanced protection against ransomware
+ - Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block executable content from email client and webmail
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index c2c3f86318..7036973802 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -49,7 +49,7 @@ The Security Compliance Toolkit consists of:
- Local Group Policy Object (LGPO) tool
-You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/).
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
## What is the Policy Analyzer tool?
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
index 4fcca719b6..ef5a46869a 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
@@ -102,7 +102,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf
| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used. **Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
| 569 | The resource manager in Authorization Manager attempted to create a client context. |
-| 570 | A client attempted to access an object. **Note: ** An event will be generated for every attempted operation on the object. |
+| 570 | A client attempted to access an object. **Note:** An event will be generated for every attempted operation on the object. |
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index 9bcc029641..4b653cf263 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
-### Policy dependencies
+### Policy dependencies
The settings for this security policy are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) setting value.
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index 44a4ae63d3..300f56c569 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -413,7 +413,7 @@ Here are the minimum steps for WEF to operate:
## Appendix E – Annotated baseline subscription event query
-``` syntax
+```xml
@@ -578,8 +578,7 @@ Here are the minimum steps for WEF to operate:
## Appendix F – Annotated Suspect Subscription Event Query
-``` syntax
-
+```xml
diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index 8ab757be7a..a9d12cc027 100644
--- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -15,7 +15,7 @@ manager: dansimp
ms.author: dolmont
---
-# WannaCrypt ransomware worm targets out-of-date systems
+# WannaCrypt ransomware worm targets out-of-date systems
On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) if they have not already done so.
diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md
index a9991a6eef..0389c92dd6 100644
--- a/windows/security/threat-protection/windows-10-mobile-security-guide.md
+++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md
@@ -22,16 +22,16 @@ ms.date: 10/13/2017
Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the user’s personal apps and data.
Windows 10 Mobile addresses these security concerns directly, whether workers are using personal or corporate-owned devices. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. These technologies include:
-- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods.
-- **Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps.
-- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices.
+- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods.
+- **Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps.
+- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices.
This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware.
**In this article:**
-- Windows Hello for Business
-- Windows Information Protection
-- Malware resistance
+- Windows Hello for Business
+- Windows Information Protection
+- Malware resistance
## Windows Hello
@@ -56,9 +56,9 @@ To compromise Windows Hello credentials, an attacker would need access to the ph
Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them – there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the user’s device and be able to impersonate the user’s biometric identity to gain access to corporate resources, which is far more difficult than stealing a password.
Windows Hello supports three biometric sensor scenarios:
-- **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology.
-- **Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello.
-- **Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology.
+- **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology.
+- **Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello.
+- **Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology.
>Users must create an unlock PIN while they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture.
@@ -72,8 +72,6 @@ The biometric image collected at enrollment is converted into an algorithmic for
A Windows Hello companion device enables a physical device, like a wearable, to serve as a factor for validating the user’s identity before granting them access to their credentials. For instance, when the user has physical possession of a companion device they can easily, possibly even automatically, unlock their PC and authenticate with apps and websites. This type of device can be useful for smartphones or tablets that don’t have integrated biometric sensors or for industries where users need a faster, more convenient sign-in experience, such as retail.
-In some cases, the companion device for Windows Hello enables a physical device, like a phone, wearable, or other types of device to store all of the user’s credentials. Storage of the credentials on a mobile device makes it possible to use them on any supporting device, like a kiosk or family PC, and eliminates the need to enroll Windows Hello on each device. Companion devices also help enable organizations to meet regulatory requirements, such as Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS 140-2).
-
### Standards-based approach
The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms.
@@ -87,12 +85,12 @@ Enterprises have seen huge growth in the convergence of personal and corporate d
Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. It’s easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity.
Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data secure and personal data private. Because corporate data is always protected, users cannot inadvertently copy it or share it with unauthorized users or apps. Key features include:
-- Automatically tag personal and corporate data.
-- Protect data while it’s at rest on local or removable storage.
-- Control which apps can access corporate data.
-- Control which apps can access a virtual private network (VPN) connection.
-- Prevent users from copying corporate data to public locations.
-- Help ensure business data is inaccessible when the device is in a locked state.
+- Automatically tag personal and corporate data.
+- Protect data while it’s at rest on local or removable storage.
+- Control which apps can access corporate data.
+- Control which apps can access a virtual private network (VPN) connection.
+- Prevent users from copying corporate data to public locations.
+- Help ensure business data is inaccessible when the device is in a locked state.
### Enlightened apps
@@ -101,21 +99,21 @@ Third-party data loss protection solutions usually require developers to wrap th
Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
When you do not want all data encrypted by default – because it would create a poor user experience – developers should consider enlightening apps by adding code and compiling them using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
-- Don’t use common controls for saving files.
-- Don’t use common controls for text boxes.
-- Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance).
+- Don’t use common controls for saving files.
+- Don’t use common controls for text boxes.
+- Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance).
In many cases, most apps don’t require enlightenment for them to use Windows Information Protection. Simply adding them to the allow list is the only step you need to take. Line-of-Business (LOB) apps are a good example of where this works well because they only handle corporate data.
**When is app enlightenment required?**
-- **Required**
- - App needs to work with both personal and enterprise data.
-- **Recommended**
- - App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldn’t be able to properly revoke these apps.
- - App needs to access enterprise data, while protection under lock is activated.
-- **Not required**
- - App handles only corporate data
- - App handles only personal data
+- **Required**
+ - App needs to work with both personal and enterprise data.
+- **Recommended**
+ - App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldn’t be able to properly revoke these apps.
+ - App needs to access enterprise data, while protection under lock is activated.
+- **Not required**
+ - App handles only corporate data
+ - App handles only personal data
### Data leakage control
@@ -124,10 +122,10 @@ To configure Windows Information Protection in a Mobile Device Management (MDM)
Windows Information Protection works seamlessly until users try to access enterprise data with or paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but Window Information Protection can block users from copying enterprise data from an authorized app to an unauthorized app. Likewise, it will block users from using an unauthorized app to open a file that contains enterprise data.
The extent to which users will be prevented from copying and pasting data from authorized apps to unauthorized apps or locations on the web depends on which protection level is set:
-- **Block.** Windows Information Protection blocks users from completing the operation.
-- **Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log.
-- **Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log.
-- **Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log.
+- **Block.** Windows Information Protection blocks users from completing the operation.
+- **Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log.
+- **Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log.
+- **Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log.
### Data separation
@@ -140,11 +138,11 @@ Windows Information Protection provides data separation without requiring a cont
Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating systems and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored – even if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device.
You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. The list below shows the policies you can change to customize device encryption on Windows 10 Mobile devices.
-- Cryptography
- - Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled.
- - TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections.
-- BitLocker
- - Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one.
+- Cryptography
+ - Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled.
+ - TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections.
+- BitLocker
+ - Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one.
To help make the device even more secured against outside interference, Windows 10 Mobile also now includes protection-under-lock. That means that encryption keys are removed from memory whenever a device is locked. Apps are unable to access sensitive data while the device is in a locked state, so hackers and malware have no way to find and co-opt keys. Everything is locked up tight with the TPM until the user unlocks the device with Windows Hello.
@@ -230,9 +228,9 @@ A Trusted Platform Module (TPM) is a tamper-resistant cryptographic module that
A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, if you create a key in a TPM with the property that no one can export that key from the TPM, the key absolutely cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling a reliable report of the software used to start a platform.
The following list describes key functionality that a TPM provides in Windows 10 Mobile:
-- **Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys.
-- **Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component – from firmware up through the drivers – and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device.
-- **Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM.
+- **Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys.
+- **Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component – from firmware up through the drivers – and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device.
+- **Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM.
Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard. The TPM 2.0 standard includes several improvements that make it superior to the 1.2 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. When the TPM 1.2 standard appeared in the early 2000s, the security community considered these algorithms cryptographically strong. Since then, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection, as well as the ability to plug-in algorithms that certain geographies or industries may prefer. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
@@ -241,9 +239,9 @@ Many assume that original equipment manufacturers (OEMs) must implant a TPM in h
>Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [minimum hardware requirements](https://technet.microsoft.com/library/dn915086.aspx)
Several Windows 10 Mobile security features require TPM:
-- Virtual smart cards
-- Measured Boot
-- Health attestation (requires TPM 2.0 or later)
+- Virtual smart cards
+- Measured Boot
+- Health attestation (requires TPM 2.0 or later)
Still other features will use the TPM if it is available. For example, Windows Hello does not require TPM but uses it if it’s available. Organizations can configure policy to require TPM for Windows Hello.
@@ -312,9 +310,9 @@ Malware depends on its ability to insert a malicious payload into memory with th
The heap is a location in memory that Windows uses to store dynamic application data. Microsoft continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that an attacker could use.
Windows 10 Mobile has made several important improvements to the security of the heap over previous versions of Windows:
-- Internal data structures that the heap uses are better protected against memory corruption.
-- Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable.
-- Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app.
+- Internal data structures that the heap uses are better protected against memory corruption.
+- Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable.
+- Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app.
### Memory reservations
@@ -342,9 +340,9 @@ The security policy of a specific AppContainer defines the operating system capa
A set of default permissions are granted to all AppContainers, including access to a unique, isolated storage location. Access to other capabilities can be declared within the app code itself. Unlike traditional desktop applications, access to additional capabilities and privileges cannot be requested at run time.
The AppContainer concept is advantageous because it provides:
-- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions.
-- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
-- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types.
+- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions.
+- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
+- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types.
Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Microsoft Store displays the permissions that the app requires along with the app’s age rating and publisher.
@@ -355,9 +353,9 @@ The combination of Device Guard and AppContainer help to prevent unauthorized ap
The web browser is a critical component of any security strategy. It is the user’s interface to the Internet, an environment teeming with malicious sites and potentially dangerous content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways:
-- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability.
-- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps.
-- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design.
+- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability.
+- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps.
+- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design.
## Summary
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index 4f08806147..39bb11b2f0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -51,13 +51,14 @@ As a cloud service, it is required that computers have access to the internet an
| **Service**| **Description** |**URL** |
| :--: | :-- | :-- |
-| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com|
-| *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com|
-| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| *.download.microsoft.com|
-| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
-| *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
-| *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
-| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com|
+| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|\*.wdcp.microsoft.com \*.wdcpalt.microsoft.com \*.wd.microsoft.com|
+| *Microsoft Update Service (MU)*| Security intelligence and product updates |\*.update.microsoft.com|
+| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| \*.download.microsoft.com|
+| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
+| *Certificate Revocation List (CRL)*|Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
+| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
+| *Universal Telemetry Client*| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com|
+
## Validate connections between your network and the cloud
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index b61fbe54d1..115361ba35 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -191,7 +191,7 @@ This setting will prevent a scan from occurring after receiving an update. You c
### Enable headless UI mode
- - Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
+- Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg
new file mode 100644
index 0000000000..36da4a5988
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-alert.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png
new file mode 100644
index 0000000000..2e11d9e9b5
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-huntingquery.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png
new file mode 100644
index 0000000000..d0eef7ebef
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/tampprotintune-windowssecurityapp.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
index 73f3bdc5e1..872f7f0588 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
@@ -151,7 +151,7 @@ realTimeProtectionEnabled : true
2. Install the configuration file on a client machine:
```bash
- python WindowsDefenderATPOnboarding.py
+ /usr/bin/python WindowsDefenderATPOnboarding.py
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
```
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md
index eb3359531d..977d404c8d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md
@@ -148,6 +148,8 @@ Diagnostic logs are collected only with the consent of the user as part of the f
- All files under */Library/Logs/Microsoft/mdatp/*
- Subset of files under */Library/Application Support/Microsoft/Defender/* that are created and used by Microsoft Defender ATP for Mac
- Subset of files under */Library/Managed Preferences* that are used by Microsoft Defender ATP for Mac
+- /Library/Logs/Microsoft/autoupdate.log
+- $HOME/Library/Preferences/com.microsoft.autoupdate2.plist
### Optional diagnostic data
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
index a39cf22ad8..e8697f63a3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
@@ -80,21 +80,21 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Group |Scenario |Command |
|-------------|-------------------------------------------|-----------------------------------------------------------------------|
-|Configuration|Turn on/off real-time protection |`mdatp --config rtp [true/false]` |
-|Configuration|Turn on/off cloud protection |`mdatp --config cloud [true/false]` |
+|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` |
+|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` |
|Configuration|Turn on/off product diagnostics |`mdatp --config diagnostic [true/false]` |
-|Configuration|Turn on/off automatic sample submission |`mdatp --config sample-submission [true/false]` |
+|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` |
|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
-|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
+|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` |
|Health |Check the product's health |`mdatp --health` |
|Protection |Scan a path |`mdatp --scan --path [path]` |
|Protection |Do a quick scan |`mdatp --scan --quick` |
|Protection |Do a full scan |`mdatp --scan --full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
-|Protection |Request a security intelligence update |`mdatp --definition-update` |
+|Protection |Request a security intelligence update |`mdatp --definition-update` |
## Microsoft Defender ATP portal information
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index c074504ddd..02469ed7c3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -1,9 +1,9 @@
---
-title: Prevent security settings changes with Tamper Protection
+title: Protect security settings with Tamper Protection
ms.reviewer:
manager: dansimp
-description: Use tamper protection to prevent malicious apps from changing important security settings.
-keywords: malware, defender, antivirus, tamper protection
+description: Use Tamper Protection to prevent malicious apps from changing important security settings.
+keywords: malware, defender, antivirus, Tamper Protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -11,48 +11,160 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+audience: ITPro
+author: denisebmsft
+ms.author: deniseb
---
-# Prevent security settings changes with tamper protection
+# Protect security settings with Tamper Protection
**Applies to:**
- Windows 10
-Tamper Protection helps prevent malicious apps from changing important security settings. These settings include:
+## Overview
-- Real-time protection
-- Cloud-delivered protection
-- IOfficeAntivirus (IOAV)
-- Behavior monitoring
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper Protection helps prevent this from occurring.
+
+With Tamper Protection, malicious apps are prevented from taking actions like these:
+- Disabling virus and threat protection
+- Disabling real-time protection
+- Turning off behavior monitoring
+- Disabling antivirus (such as IOfficeAntivirus (IOAV))
+- Disabling cloud-delivered protection
- Removing security intelligence updates
-With Tamper Protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings:
+## How it works
-- Mobile device management (MDM) apps like Intune
-- Enterprise configuration management apps like System Center Configuration Manager (SCCM)
-- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures
-- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup)
-- Group Policy
-- Other Windows Management Instrumentation (WMI) apps
+ Tamper Protection essentially locks Microsoft Defender and prevents your security settings from being changed through apps and methods like these:
+- Configuring settings in Registry Editor on your Windows machine
+- Changing settings through PowerShell cmdlets
+- Editing or removing security settings through group policies
+- and so on.
-The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app.
+Tamper Protection doesn't prevent you from viewing your security settings. And, Tamper Protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the Tamper Protection setting; this is managed by your security team.
-On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting.
+### What do you want to do?
-Tamper Protection is set to **On** by default. If you set Tamper Protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & Threat Protection**.
+[Turn Tamper Protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine)
-## Configure tamper protection
+[Turn Tamper Protection on (or off) for your organization with Intune (Preview)](#turn-tamper-protection-on-or-off-for-your-organization-with-intune)
+
+## Turn Tamper Protection on (or off) for an individual machine
+
+If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn Tamper Protection on or off. You must have appropriate admin permissions on your machine to perform the following task.
+
+1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**.
+
+2. Select **Virus & threat protection** > **Virus & threat protection settings**.
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Select **Virus & threat protection**, then select **Virus & threat protection settings**.
3. Set **Tamper Protection** to **On** or **Off**.
->[!NOTE]
->Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
->
->To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later.
->
->Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+> [!NOTE]
+> Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
+>
+> To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
+>
+> Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+
+
+## Turn Tamper Protection on (or off) for your organization with Intune
+
+If you are part of your organization's security team, the ability to turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune) is now in preview.
+
+You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
+
+1. Make sure your organization meets the following requirements:
+
+ - Your organization must have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in Microsoft 365 E5. See [Microsoft 365 Enterprise overview](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview) for more details.)
+ - Your organization's devices must be managed by [Intune](https://docs.microsoft.com/intune/device-management-capabilities).
+ - Your Windows machines must be running [Windows OS 1903](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) or later.
+ - You must be using Windows security and update [security intelligence](https://www.microsoft.com/wdsi/definitions) to version 1.287.60.0 (or above)
+ - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). (See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).)
+
+2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
+
+3. Select **Device configuration** > **Profiles**.
+
+4. Create a profile that includes the following settings:
+
+ - **Platform**: Windows 10 and later
+ - **ProfileType**: Endpoint protection
+ - **Settings** > Windows Defender Security Center > Tamper Protection
+
+5. Assign the profile to one or more groups.
+
+## Frequently asked questions
+
+### To which Windows OS versions is configuring Tamper Protection is applicable?
+
+Windows 1903 May release
+
+### Is configuring Tamper Protection in Intune supported on servers?
+
+No
+
+### Will Tamper Protection have any impact on third party antivirus registration?
+
+No, third-party antivirus will continue to register with the Windows Security application.
+
+### What happens if Microsoft Defender is not active on a device?
+
+Tamper Protection will not have any impact on such devices.
+
+### How can I turn Tamper Protection on/off?
+
+If you are home user, see [Turn Tamper Protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
+
+If you are an organization using [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage Tamper Protection in Intune similar to how you manage other endpoint protection features. See [Turn Tamper Protection on (or off) for your organization with Intune](#turn-tamper-protection-on-or-off-for-your-organization-with-intune).
+
+
+### How does configuring Tamper Protection in Intune affect how I manage Windows Defender through my group policy?
+
+Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender settings will be ignored when Tamper Protection is on.
+
+### For Microsoft Defender Advanced Threat Protection E5, is configuring Tamper Protection in Intune targeted to the entire organization only?
+
+Configuring Tamper Protection in Intune can be targeted to your entire organization as well as to devices and user groups with Intune.
+
+### Can I configure Tamper Protection in System Center Configuration Manager?
+
+Currently we do not have support to manage Tamper Protection through System Center Configuration Manager.
+
+### I have the Windows E3 enrollment. Can I use configuring Tamper Protection in Intune?
+
+Currently, configuring Tamper Protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+
+### What happens if I try to change Microsoft Defender settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
+
+You won’t be able to change the features that are protected by Tamper Protection; those change requests are ignored.
+
+### I’m an enterprise customer. Can local admins change Tamper Protection on their devices?
+
+No. Local admins cannot change or modify Tamper Protection settings.
+
+### What happens if my device is onboarded with Microsoft Defender Advanced Threat Protection and then goes into an off-boarded state?
+
+In this case, Tamper Protection status changes, and this feature is no longer applied.
+
+### Will there be an alert about Tamper Protection status changing in the Microsoft Defender Advanced Threat Protection portal?
+
+Yes. The alert is shown in [https://microsoft.securitycenter.com](https://microsoft.securitycenter.com) under **Alerts**.
+
+In addition, your security operations team can use hunting queries, such as the following:
+
+`AlertEvents | where Title == "Tamper Protection bypass"`
+
+### Will there be a group policy setting for Tamper Protection?
+
+No.
+
+## Related resources
+
+[Windows 10 Enterprise Security](https://docs.microsoft.com/windows/security/index)
+
+[Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
+
+[Microsoft 365 Enterprise overview (at a glance)](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview#at-a-glance)
+
+[Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
index 8c57a43727..68c4accc82 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -29,6 +29,9 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y
3. Under **Quarantined threats**, click **See full history**.
4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.)
+> [!NOTE]
+> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV.
+
## Related topics
- [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index bd9df5835d..def6571abc 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -47,7 +47,6 @@ You can configure and manage Windows Defender Antivirus with:
> [!NOTE]
> For more information regarding what's new in each Windows version, please refer to [What's new in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp).
-=======
## Minimum system requirements
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index ac99737410..196c8dc9a2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -11,7 +11,7 @@
## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md)
### [Types of devices](types-of-devices.md)
-###Use WDAC with custom policies
+### Use WDAC with custom policies
#### [Create an initial default policy](create-initial-default-policy.md)
#### [Create path-based rules](create-path-based-rules.md)
#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
index 3622d0e101..f762644195 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Add rules for packaged apps to existing AppLocker rule-set
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
index 86c295cf9e..8730c6c545 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
@@ -20,8 +20,8 @@ ms.date: 02/28/2019
# Administer AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
index d2d3584bf7..f7a0f16873 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker architecture and components
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professional describes AppLocker’s basic architecture and its major components.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
index c12a1e59ac..3bfb26bb30 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker functions
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index 37045a74e8..7f4112593f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -20,8 +20,8 @@ ms.date: 10/16/2017
# AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
index 7758f45ec7..e92450d695 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
@@ -21,8 +21,8 @@ ms.date: 09/21/2017
# AppLocker deployment guide
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
index a7258ab473..d723d9a054 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker design guide
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
index 6e50eebbd2..3e660d6659 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker policy use scenarios
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
index e32e6bf896..54ec678b22 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker processes and interactions
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
index c02fce9a90..f289a40fe7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker settings
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional lists the settings used by AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
index f330084b0b..031ce25230 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# AppLocker technical reference
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This overview topic for IT professionals provides links to the topics in the technical reference.
AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
index ce69d9e064..2dd978d52b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -20,8 +20,8 @@ ms.date: 06/08/2018
# Configure an AppLocker policy for audit only
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
index 24f5aeb1ef..36cce5baec 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Configure an AppLocker policy for enforce rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
index 018d76dd6b..dfb7c8814a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Add exceptions for an AppLocker rule
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
index 52899e5621..a3a2d593bb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Configure the AppLocker reference device
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
index fffa53c756..c2c55cccf6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
@@ -20,8 +20,8 @@ ms.date: 04/02/2018
# Configure the Application Identity service
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index d87b6b2d31..7ac5a2faeb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create a rule for packaged apps
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
index 9248042379..f7689c76f7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create a rule that uses a file hash condition
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
index 7d7608f7c8..728693dc35 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create a rule that uses a path condition
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals shows how to create an AppLocker rule with a path condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
index 58609a7102..5a875b4b84 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create a rule that uses a publisher condition
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
index 8f20bf3c9a..f68602c282 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create AppLocker default rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
index 7afc539899..e0c0cb658f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create a list of apps deployed to each business group
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
index 859761b9b9..4cb2f24434 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create Your AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
index 6fb52b2843..6d75ecfc99 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create Your AppLocker rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index 84e53cfb2d..be00ebc127 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -20,8 +20,8 @@ ms.date: 08/02/2018
# Delete an AppLocker rule
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to delete an AppLocker rule.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index 0fe96e42aa..65374479fc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Deploy AppLocker policies by using the enforce rules setting
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
index dd81603afd..058e736230 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Deploy the AppLocker policy into production
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
index 2226a672dd..e03376d487 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Determine the Group Policy structure and rule enforcement
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This overview topic describes the process to follow when you are planning to deploy AppLocker rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
index c8d4acc789..3b75aaec82 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Determine which apps are digitally signed on a reference device
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
index e1b0bef761..7f43b4f3cd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Determine your application control objectives
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index c39d07f07a..f87c93e451 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Display a custom URL message when users try to run a blocked app
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index 60741a87ed..ec45f1d75e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# DLL rules in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the file formats and available default rules for the DLL rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 415d381cc4..44a181aa71 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Document the Group Policy structure and AppLocker rule enforcement
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
index 1ea62b509f..3cac5abbce 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Document your app list
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
index a748a0fb9d..2147e2fe3f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Document your AppLocker rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 08db847c8a..03b04a1190 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Edit an AppLocker policy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps required to modify an AppLocker policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
index 8bf42722e6..028a8237bc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Edit AppLocker rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
index 1f45a8cb4d..575de45499 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Enable the DLL rule collection
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
index e34cd10524..b396db1cfb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Enforce AppLocker rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to enforce application control rules by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
index 09e13411bb..ffdc7ace8c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Executable rules in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the file formats and available default rules for the executable rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
index 579f6a1677..0443b67c6b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Export an AppLocker policy from a GPO
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
index 1d42dabe51..6856386f4a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Export an AppLocker policy to an XML file
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
index 6d259a430f..b4adeb4b33 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# How AppLocker works
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
index cd3f2ab32d..eaa7c7aa78 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Import an AppLocker policy from another computer
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to import an AppLocker policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
index 07ffba8bd0..ac5ac53cd5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Import an AppLocker policy into a GPO
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
index af959d3197..20b1b50dae 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Maintain AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes how to maintain rules within AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
index bd4497b964..3a9dee486d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Manage packaged apps with AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
index 7ee34ff838..47c7db9884 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Merge AppLocker policies by using Set-ApplockerPolicy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
@@ -41,6 +41,6 @@ You can also manually merge AppLocker policies. For the procedure to do this, se
Gets the local AppLocker policy, and then merges the policy with the existing AppLocker policy in the GPO specified in the LDAP path.
-``` syntax
+```powershell
C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge
```
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
index 0ccb16202c..f40ead0fc0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Merge AppLocker policies manually
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
index 72378b52ca..9d03415f49 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Monitor app usage with AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
index 50e84edb7a..d669f7c890 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Optimize AppLocker performance
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how to optimize AppLocker policy enforcement.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
index eb87d51320..1057121e64 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 10/13/2017
# Packaged apps and packaged app installer rules in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index d0e2f069fe..90bf198903 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Plan for AppLocker policy management
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
index de3556a475..9e6a10f475 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Refresh an AppLocker policy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to force an update for an AppLocker policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index b1187d6b13..5bfe8d38ed 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Requirements for deploying AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index edcc2be0d3..ded7e2d592 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Requirements to use AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
index a0a509e1ae..a87df1bc69 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Run the Automatically Generate Rules wizard
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 068f4f5786..1854e961d1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Script rules in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the file formats and available default rules for the script rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
index 2fbfbf63aa..bde5f92033 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Security considerations for AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
index 74fe7bc8ec..4daacad66d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Select the types of rules to create
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic lists resources you can use when selecting your application control policy rules by using AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
index dd5cb6b46d..00511d0f23 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Test an AppLocker policy by using Test-AppLockerPolicy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
index e1d63a2f9d..6306c10479 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Test and update an AppLocker policy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic discusses the steps required to test an AppLocker policy prior to deployment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
index d3666a1e1e..974a0000cc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Tools to use with AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the tools available to create and administer AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
index 38e080a194..0cd67f03d8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understand AppLocker enforcement settings
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the AppLocker enforcement settings for rule collections.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index 29a92cb366..fedd0c187e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -20,8 +20,8 @@ ms.date: 10/13/2017
# Understand AppLocker policy design decisions
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index 60372d5be9..eef85dda63 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understand AppLocker rules and enforcement setting inheritance in Group Policy
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
index cf93b27a4b..5e0c80b55d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understand the AppLocker policy deployment process
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
index 50811e33c0..f9cdae7831 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker allow and deny actions on rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the differences between allow and deny actions on AppLocker rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
index aab40287b6..d2d2d98598 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker default rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
index fb7afc79b9..cbb7806a6b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker rule behavior
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
index f2788d4bfc..0392b51405 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker rule collections
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the five different types of AppLocker rules used to enforce AppLocker policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
index f937e73090..ace4b89837 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker rule condition types
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the three types of AppLocker rule conditions.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
index 08aeb4091d..9420c1f20f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding AppLocker rule exceptions
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the result of applying AppLocker rule exceptions to rule collections.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
index 3bb3ba52c4..b0e028c79d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding the file hash rule condition in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
index 0e59ec885b..95863340c0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding the path rule condition in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
index 52259c9248..73bd0d992a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Understanding the publisher rule condition in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index 9c5076e4c6..adf5eb6279 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -21,8 +21,8 @@ ms.date: 09/21/2017
# Use a reference device to create and maintain AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
index 1f70ea7e87..828934ca43 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Use AppLocker and Software Restriction Policies in the same domain
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
index 0f4a4872cf..58edb0059e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Use the AppLocker Windows PowerShell cmdlets
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index 6fa4d92a72..78c04357c6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Using Event Viewer with AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
@@ -50,11 +50,11 @@ The following table contains information about the events that you can use to de
| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.|
| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.|
| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
-| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules ** enforcement mode were enabled. |
-| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.|
+| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
+| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.|
| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.|
-| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. |
-| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.|
+| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
+| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.|
| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.|
| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.|
| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
index 3583e3fd1b..1dd5197ddd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Use Software Restriction Policies and AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
index a3c525fbfa..2ddcbb332e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# What Is AppLocker?
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
index a853be9f44..50fff5a7b2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Windows Installer rules in AppLocker
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic describes the file formats and available default rules for the Windows Installer rule collection.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
index 8e77d3e330..2bde016bc2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Working with AppLocker policies
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
@@ -30,7 +30,7 @@ This topic for IT professionals provides links to procedural topics about creati
| Topic | Description |
| - | - |
| [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.|
-| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only ** within your IT environment by using AppLocker.|
+| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.|
| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.|
| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.|
| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
index c899126846..1b92efcccf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
@@ -18,8 +18,8 @@ ms.date: 08/27/2018
# Working with AppLocker rules
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md
index 105f6a46bb..babbce2e0b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md
@@ -52,10 +52,10 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD
- Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe)
- One or the other, not both at the same time
- Does not support wildcard in the middle (ex. C:\\*\foo.exe)
- - Examples:
- - %WINDIR%\\...
- - %SYSTEM32%\\...
- - %OSDRIVE%\\...
+- Supported Macros:
+ - %WINDIR%\\...
+ - %SYSTEM32%\\...
+ - %OSDRIVE%\\...
- Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy:
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
index abaa31c6ff..d7f2a132fb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Create your Windows Defender Application Control (WDAC) planning document
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This planning topic for the IT professional summarizes the information you need to research and include in your WDAC planning document.
diff --git a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
index 6a6df72992..f29188cd79 100644
--- a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
+++ b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
@@ -20,8 +20,8 @@ ms.date: 09/21/2017
# Document your application control management processes
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This planning topic describes the Windows Defender Application Control (WDAC) policy maintenance information to record for your design document.
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index ab584cebd9..530d8659f9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -111,15 +111,16 @@ They could also choose to create a catalog that captures information about the u
Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules.
-- New-CIPolicy parameters
+- New-CIPolicy parameter
- FilePath: create path rules under path \ for anything not user-writeable (at the individual file level)
```powershell
- New-CIPolicy -f .\mypolicy.xml -l FilePath -s -u
+ New-CIPolicy -FilePath .\mypolicy.xml -Level FileName -ScanPath -UserPEs
```
Optionally, add -UserWriteablePaths to ignore user writeability
-
+
+- New-CIPolicyRule parameter
- FilePathRule: create a rule where filepath string is directly set to value of \
```powershell
@@ -134,7 +135,7 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD
$rules = New-CIPolicyRule …
$rules += New-CIPolicyRule …
…
- New-CIPolicyRule -f .\mypolicy.xml -u
+ New-CIPolicy -FilePath .\mypolicy.xml -Rules $rules -UserPEs
```
- Wildcards supported
@@ -149,6 +150,6 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD
- Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy:
```powershell
- Set-RuleOption -o 18 .\policy.xml
+ Set-RuleOption -Option 18 .\policy.xml
```
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
index 44ff0aa926..e9719fd4e4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
@@ -18,8 +18,8 @@ ms.author: dansimp
# Windows Defender Application Control design guide
**Applies to**
- - Windows 10
- - Windows Server
+- Windows 10
+- Windows Server
This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 9617e485b3..3605322e2c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -18,7 +18,7 @@ ms.date: 01/08/2019
**Applies to:**
-- Windows 10
+- Windows 10 Enterprise
- Windows Server 2016
- Windows Server 2019
@@ -40,8 +40,8 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs
## WDAC System Requirements
-WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016.
-They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune.
+WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above.
+They can be applied to computers running Windows 10 Enterprise or Windows Server 2016 and above and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune.
Group Policy or Intune can be used to distribute WDAC policies.
## New and changed functionality
diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
index fb335353dc..c129bb0353 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -29,11 +29,13 @@ These settings, located at **Computer Configuration\Administrative Templates\Net
>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode.
-| Policy name | Supported versions | Description |
-|-------------------------------------------------|--------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. |
-| Enterprise resource domains hosted in the cloud | At least Windows Server 2012, Windows 8, or Windows RT | A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. |
-| Domains categorized as both work and personal | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. |
+
+|Policy name|Supported versions|Description|
+|-----------|------------------|-----------|
+|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specify a complete domain, include a full domain name (for example "**contoso.com**") in the configuration. 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (when there is more than one subdomain). Configuring "**.constoso.com**" will automatically trust "**subdomain1.contoso.com**", "**subdomain2.contoso.com**", etc. 3) To trust a subdomain, precede your domain with two dots, for example "**..contoso.com**". |
+|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.|
+
## Application-specific settings
These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard.
diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
index 8a0d017824..1d5756d650 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -103,3 +103,11 @@ Answering frequently asked questions about Windows Defender Application Guard (A
| **A:** | To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com. |
+
+| | |
+|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Q:** | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? |
+| **A:** | When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). |
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
index 3f889598d3..dc6820bd94 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -19,29 +19,12 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Review system requirements
-
+
+See [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard.
>[!NOTE]
>Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
-### Hardware requirements
-Your environment needs the following hardware to run Windows Defender Application Guard.
-|Hardware|Description|
-|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum 4 cores is required for the hypervisor. For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).|
-|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**-AND-**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**-OR-**
AMD-V|
-|Hardware memory|Microsoft requires a minimum of 8GB RAM|
-|Hard disk|5 GB free space, solid state disk (SSD) recommended|
-|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
-
-### Software requirements
-Your environment needs the following software to run Windows Defender Application Guard.
-
-|Software|Description|
-|--------|-----------|
-|Operating system|Windows 10 Enterprise edition, version 1709 or higher Windows 10 Professional edition, version 1803|
-|Browser|Microsoft Edge and Internet Explorer|
-|Management system (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)
**-OR-**
[System Center Configuration Manager](https://docs.microsoft.com/sccm/)
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
## Prepare for Windows Defender Application Guard
diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
index 4aadf6d205..00c7bfddf4 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -39,69 +39,12 @@ Application Guard has been created to target several types of systems:
## Frequently Asked Questions
-| | |
-|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** | Can I enable Application Guard on machines equipped with 4GB RAM? |
-| **A:** | We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
-| | HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. |
-| | HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. |
-| | HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB. |
-
-
-
-
-| | |
-|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** | Can employees download documents from the Application Guard Edge session onto host devices? |
-| **A:** | In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.
In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. |
-
-
-
-
-| | |
-|--------|------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** | Can employees copy and paste between the host device and the Application Guard Edge session? |
-| **A:** | Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. |
-
-
-
-
-| | |
-|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** | Why don't employees see their Favorites in the Application Guard Edge session? |
-| **A:** | To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. |
-
-
-
-
-| | |
-|--------|---------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** | Why aren’t employees able to see their Extensions in the Application Guard Edge session? |
-| **A:** | Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. |
-
-
-
-
-| | |
-|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** | How do I configure WDAG to work with my network proxy (IP-Literal Addresses)? |
-| **A:** | WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher. |
-
-
-
-
-| | |
-|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? |
-| **A:** | This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature. |
-
-
-
+Please see [Frequently asked questions - Windows Defender Application Guard](faq-wd-app-guard.md) for common user-submitted questions.
| | |
|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Q:** | What is the WDAGUtilityAccount local account? |
-| **A:** | This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. |
+| **Q:** | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? |
+| **A:** | When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). |
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index 29ed15335f..7ed8ec4621 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -53,6 +53,8 @@ For more information about disabling local list merging, see [Prevent or allow u
>If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
+>If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
+
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
index 0f4d7ee1dc..ea7aa818f2 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -183,7 +183,7 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f
> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
> [!NOTE]
-> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1709.
+> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.
The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
@@ -293,8 +293,8 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
```
### Requirements for running HVCI in Hyper-V virtual machines
- - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- - HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
- - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
+- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
+- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
+- HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
+- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
+- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
index 61220879a8..4d7e28279c 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
@@ -88,7 +88,7 @@ Where:
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
```PowerShell
-Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
+Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
You can disable audit mode by replacing `-Enable` with `-Disable`.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index dc0bab469f..875fd5bfae 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -56,7 +56,9 @@ This can only be done in Group Policy.
>
>You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576).
+
+2. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -86,7 +88,18 @@ This can only be done in Group Policy.
6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+7. Use the following registry key and DWORD value to **Hide all notifications**.
+
+ **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
+ **"DisableNotifications"=dword:00000001**
+
+8. Use the following registry key and DWORD value to **Hide not-critical notifications**
+
+ **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
+ **"DisableEnhancedNotifications"=dword:00000001**
+
+9. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+
## Notifications
@@ -136,3 +149,4 @@ This can only be done in Group Policy.
| Dynamic lock on, bluetooth on, but unable to detect device | | | No |
| NoPa or federated no hello | | | No |
| NoPa or federated hello broken | | | No |
+
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index 027d92a3b4..9d214a2b3c 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
-ms.author: mjcaparas
+ms.author: macapara
---
# Windows Defender SmartScreen
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index f9fb884957..ca7c0039c1 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
ms.date: 10/13/2017
ms.reviewer:
manager: dansimp
-ms.author: mjcaparas
+ms.author: macapara
---
# Set up and use Windows Defender SmartScreen on individual devices
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 8de4021830..cde7dc4fc5 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -14,7 +14,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/11/2019
---
# Create Windows Firewall rules in Intune
@@ -35,29 +34,7 @@ Select Windows Defender Firewall.
## Firewall rule components
-Following table has description for each field.
-
-
-| Property | Type | Description |
-|----------|------|-------------|
-| DisplayName | String | The display name of the rule. Does not need to be unique. |
-| Description | String | The description of the rule. |
-| PackageFamilyName | String | The package family name of a Microsoft Store application that's affected by the firewall rule. |
-| FilePath | String | The full file path of an app that's affected by the firewall rule. |
-| FullyQualifiedBinaryName | String | The fully qualified binary name. |
-| ServiceName | String | The name used in cases when a service, not an application, is sending or receiving traffic. |
-| Protocol | Nullable Integer - default value is null which maps to All | 0-255 number representing the [IP protocol](https://www.wikipedia.org/wiki/List_of_IP_protocol_numbers) (TCP = 6, UDP = 17). If not specified, the default is All. |
-| LocalPortRanges | String array | List of local port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. |
-| RemotePortRanges | String array | List of remote port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. |
-| LocalAddressRanges | String array | List of local addresses covered by the rule. Valid tokens include: - "\*" indicates any local address. If present, this must be the only token included. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. - A valid IPv6 address. - An IPv4 address range in the format of "start address - end address" with no spaces included. - An IPv6 address range in the format of "start address - end address" with no spaces included. Default is any address. |
-| RemoteAddressRanges | String array | List of tokens specifying the remote addresses covered by the rule.Tokens are case insensitive. Valid tokens include: - "\*" indicates any remote address. If present, this must be the only token included. - "Defaultgateway" - "DHCP" - "DNS" - "WINS" - "Intranet" - "RmtIntranet" - "Internet" - "Ply2Renders" - "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. - A valid IPv6 address. - An IPv4 address range in the format of "start address - end address" with no spaces included. - An IPv6 address range in the format of "start address - end address" with no spaces included. Default is any address. |
-| ProfileTypes | WindowsFirewallNetworkProfileTypes | Specifies the profiles to which the rule belongs. If not specified, the default is All. |
-| Action| StateManagementSetting | The action the rule enforces. If not specified, the default is Allowed. |
-| TrafficDirection | WindowsFirewallRuleTrafficDirectionType | The traffic direction that the rule is enabled for. If not specified, the default is Out. |
-| InterfaceTypes | WindowsFirewallRuleInterfaceTypes | The interface types of the rule. |
-| EdgeTraversal | StateManagementSetting | Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. |
-| LocalUserAuthorizations | String | Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format. |
-
+The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/firewall-csp).
## Application
Control connections for an app or program.
@@ -123,8 +100,8 @@ Default is Any address.
[Learn more](https://aka.ms/intunefirewallremotaddressrule)
-## Edge traversal (coming soon)
-Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default.
+## Edge traversal (UI coming soon)
+Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. This setting can only be configured via Intune Graph at this time.
[Learn more](https://aka.ms/intunefirewalledgetraversal)
diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index 9c6966b525..5ded02bd51 100644
--- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -80,7 +80,7 @@ This script does the following:
Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
-``` syntax
+```powershell
# Create a Security Group for the computers that will get the policy
$pathname = (Get-ADDomain).distinguishedname
New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" `
@@ -120,7 +120,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec
Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
-``` syntax
+```powershell
#Set up the certificate
$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop
@@ -173,7 +173,7 @@ Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file:
- ``` syntax
+ ```xml
ERROR_IPSEC_IKE_NO_CERT32
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index 79ee3e58bd..4daaa5d367 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -67,7 +67,7 @@ netsh advfirewall set allprofiles state on
**Windows PowerShell**
-``` syntax
+```powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
```
@@ -88,7 +88,7 @@ netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFile
Windows PowerShell
-``` syntax
+```powershell
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
@@ -140,7 +140,7 @@ netsh advfirewall firewall add rule name="Allow Inbound Telnet" dir=in program=
Windows PowerShell
-``` syntax
+```powershell
New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
```
@@ -157,7 +157,7 @@ netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program
Windows PowerShell
-``` syntax
+```powershell
New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name
```
@@ -169,7 +169,7 @@ The following performs the same actions as the previous example (by adding a Tel
Windows PowerShell
-``` syntax
+```powershell
$gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_name
New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $gpo
Save-NetGPO –GPOSession $gpo
@@ -191,7 +191,7 @@ netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2
Windows PowerShell
-``` syntax
+```powershell
Set-NetFirewallRule –DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2
```
@@ -205,7 +205,7 @@ In the following example, we assume the query returns a single firewall rule, wh
Windows PowerShell
-``` syntax
+```powershell
Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction –eq “Inbound” -and $_.Action –eq “Allow”} | Set-NetFirewallRule -RemoteAddress 192.168.0.2
```
@@ -213,7 +213,7 @@ You can also query for rules using the wildcard character. The following example
Windows PowerShell
-``` syntax
+```powershell
Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule
```
@@ -223,7 +223,7 @@ In the following example, we add both inbound and outbound Telnet firewall rules
Windows PowerShell
-``` syntax
+```powershell
New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management”
New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management”
```
@@ -232,7 +232,7 @@ If the group is not specified at rule creation time, the rule can be added to th
Windows PowerShell
-``` syntax
+```powershell
$rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet”
$rule.Group = “Telnet Management”
$rule | Set-NetFirewallRule
@@ -250,7 +250,7 @@ netsh advfirewall firewall set rule group="Windows Defender Firewall remote mana
Windows PowerShell
-``` syntax
+```powershell
Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” –Enabled True
```
@@ -258,7 +258,7 @@ There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by g
Windows PowerShell
-``` syntax
+```powershell
Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose
```
@@ -276,7 +276,7 @@ netsh advfirewall firewall delete rule name=“Allow Web 80”
Windows PowerShell
-``` syntax
+```powershell
Remove-NetFirewallRule –DisplayName “Allow Web 80”
```
@@ -284,7 +284,7 @@ Like with other cmdlets, you can also query for rules to be removed. Here, all b
Windows PowerShell
-``` syntax
+```powershell
Remove-NetFirewallRule –Action Block
```
@@ -292,7 +292,7 @@ Note that it may be safer to query the rules with the **Get** command and save i
Windows PowerShell
-``` syntax
+```powershell
$x = Get-NetFirewallRule –Action Block
$x
$x[0-3] | Remove-NetFirewallRule
@@ -306,7 +306,7 @@ The following example returns all firewall rules of the persistent store on a de
Windows PowerShell
-``` syntax
+```powershell
Get-NetFirewallRule –CimSession RemoteDevice
```
@@ -314,7 +314,7 @@ We can perform any modifications or view rules on remote devices by simply usin
Windows PowerShell
-``` syntax
+```powershell
$RemoteSession = New-CimSession –ComputerName RemoteDevice
Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSession -Confirm
```
@@ -342,7 +342,7 @@ netsh advfirewall consec add rule name="Require Inbound Authentication" endpoint
Windows PowerShell
-``` syntax
+```powershell
New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore domain.contoso.com\gpo_name
```
@@ -365,7 +365,7 @@ netsh advfirewall consec add rule name="Require Outbound Authentication" endpoin
Windows PowerShell
-``` syntax
+```powershell
$AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP –AHHash SHA1 -ESPHash SHA1 -Encryption DES3
$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “ah:sha1+esp:sha1-des3” -Proposal $AHandESPQM –PolicyStore domain.contoso.com\gpo_name
New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name –PolicyStore domain.contoso.com\gpo_name
@@ -379,7 +379,7 @@ You can leverage IKEv2 capabilities in Windows Server 2012 by simply specifying
Windows PowerShell
-``` syntax
+```powershell
New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway
```
@@ -395,7 +395,7 @@ Copying individual rules is a task that is not possible through the Netsh interf
Windows PowerShell
-``` syntax
+```powershell
$Rule = Get-NetIPsecRule –DisplayName “Require Inbound Authentication”
$Rule | Copy-NetIPsecRule –NewPolicyStore domain.costoso.com\new_gpo_name
$Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name
@@ -407,7 +407,7 @@ To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAc
Windows PowerShell
-``` syntax
+```powershell
Remove-NetFirewallRule –DisplayName “Contoso Messenger 98” –ErrorAction SilentlyContinue
```
@@ -415,7 +415,7 @@ Note that the use of wildcards can also suppress errors, but they could potentia
Windows PowerShell
-``` syntax
+```powershell
Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*”
```
@@ -423,7 +423,7 @@ When using wildcards, if you want to double-check the set of rules that is match
Windows PowerShell
-``` syntax
+```powershell
Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –WhatIf
```
@@ -431,7 +431,7 @@ If you only want to delete some of the matched rules, you can use the *–Confir
Windows PowerShell
-``` syntax
+```powershell
Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Confirm
```
@@ -439,7 +439,7 @@ You can also just perform the whole operation, displaying the name of each rule
Windows PowerShell
-``` syntax
+```powershell
Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Verbose
```
@@ -457,7 +457,7 @@ netsh advfirewall consec show rule name=all
Windows PowerShell
-``` syntax
+```powershell
Show-NetIPsecRule –PolicyStore ActiveStore
```
@@ -473,7 +473,7 @@ netsh advfirewall monitor show mmsa all
Windows PowerShell
-``` syntax
+```powershell
Get-NetIPsecMainModeSA
```
@@ -485,7 +485,7 @@ For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is sp
Windows PowerShell
-``` syntax
+```powershell
Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore
```
@@ -506,7 +506,7 @@ netsh advfirewall consec add rule name=“Basic Domain Isolation Policy” profi
Windows PowerShell
-``` syntax
+```powershell
$kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos
$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation
New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation
@@ -524,7 +524,7 @@ netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0.
Windows PowerShell
-``` syntax
+```powershell
$QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3
$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “esp:sha1-des3” -Proposal $QMProposal
New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name
@@ -548,7 +548,7 @@ netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in pro
Windows PowerShell
-``` syntax
+```powershell
New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow
```
@@ -562,7 +562,7 @@ netsh advfirewall consec add rule name="Authenticate Both Computer and User" end
Windows PowerShell
-``` syntax
+```powershell
$mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos
$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM
$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop
@@ -593,7 +593,7 @@ The following example shows you how to create an SDDL string that represents sec
Windows PowerShell
-``` syntax
+```powershell
$user = new-object System.Security.Principal.NTAccount (“corp.contoso.com\Administrators”)
$SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value
$secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)"
@@ -603,7 +603,7 @@ By using the previous scriptlet, you can also get the SDDL string for a secure c
Windows PowerShell
-``` syntax
+```powershell
$secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)"
```
@@ -622,7 +622,7 @@ netsh advfirewall firewall add rule name=“Allow Encrypted Inbound Telnet to Gr
Windows PowerShell
-``` syntax
+```powershell
New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\Server_Isolation
```
@@ -634,7 +634,7 @@ In this example, we set the global IPsec setting to only allow transport mode tr
Windows PowerShell
-``` syntax
+```powershell
Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGroup
```
@@ -653,7 +653,7 @@ netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in sec
Windows PowerShell
-``` syntax
+```powershell
New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation
```
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index d9cd25a523..149ba35f1d 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -23,33 +23,33 @@ Microsoft is committed to optimizing the security of its products and services.
The Security Target describes security functionality and assurance measures used to evaluate Windows.
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
- - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
- - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
- - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
- - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
- - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
- - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
- - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
- - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
- - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
- - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
- - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305)
- - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
- - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
- - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
- - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
- - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
- - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
+- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
+- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
+- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
+- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
+- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
+- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
+- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
+- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
+- [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
+- [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
+- [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
+- [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
+- [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
+- [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
+- [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
+- [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
+- [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
+- [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
+- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
+- [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
+- [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305)
+- [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
+- [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
+- [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
+- [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
+- [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
+- [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
## Common Criteria Deployment and Administration
@@ -59,77 +59,77 @@ These documents describe how to configure Windows to replicate the configuration
**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
-
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
- - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
- - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
- - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
+
+- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
+- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
+- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
+- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
+- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
+- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
+- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
+- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
+- [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
+- [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
+- [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
+- [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
**Windows 8.1 and Windows Phone 8.1**
- - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
- - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
+- [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
+- [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
**Windows 8, Windows RT, and Windows Server 2012**
- - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
- - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
- - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
+- [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
+- [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
+- [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
+- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
**Windows 7 and Windows Server 2008 R2**
- - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
- - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308)
+- [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
+- [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308)
**Windows Vista and Windows Server 2008**
- - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
- - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
+- [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
+- [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
**Windows Server 2003 SP2 including R2, x64, and Itanium**
- - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
- - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
+- [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
+- [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
**Windows Server 2003 SP1(x86), x64, and IA64**
- - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
- - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
+- [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
+- [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
**Windows Server 2003 SP1**
- - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
- - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
+- [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
+- [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
**Windows XP Professional SP2 (x86) and x64 Edition**
- - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
- - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
- - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
- - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
- - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
- - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
+- [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
+- [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
+- [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
+- [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
+- [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
+- [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
**Windows XP Professional SP2, and XP Embedded SP2**
- - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
- - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
- - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
+- [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
+- [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
+- [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
**Windows Server 2003 Certificate Server**
- - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
- - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
- - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
+- [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
+- [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
+- [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
## Common Criteria Evaluation Technical Reports and Certification / Validation Reports
@@ -137,41 +137,40 @@ These documents describe how to configure Windows to replicate the configuration
An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
- - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
- - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
- - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
- - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
- - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
- - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
- - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
- - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
- - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
- - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
- - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
- - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
- - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
- - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
- - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
- - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
- - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
- - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
- - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
- - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
- - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
- - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
- - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
- - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
- - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
- - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
- - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
- - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
- - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
+- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
+- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
+- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
+- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
+- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
+- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
+- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
+- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
+- [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
+- [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
+- [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
+- [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
+- [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
+- [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
+- [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
+- [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
+- [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
+- [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
+- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
+- [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
+- [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
+- [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
+- [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
+- [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
+- [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
+- [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+- [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+- [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
+- [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
+- [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
+- [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
+- [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
+- [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
## Other Common Criteria Related Documents
- - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
-
+- [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
index 12bbd676fa..d4d30ecdba 100644
--- a/windows/threat-protection/docfx.json
+++ b/windows/threat-protection/docfx.json
@@ -34,6 +34,7 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
+ "audience": "ITPro",
"ms.date": "04/05/2017",
"_op_documentIdPathDepotMapping": {
"./": {
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index b86924bf53..8d403d8128 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -34,6 +34,7 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
+ "audience": "ITPro",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 129309368a..4c6f69c1a2 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -1,631 +1,631 @@
----
-title: What's new in Windows 10 Enterprise 2019 LTSC
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"]
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: low
-ms.topic: article
----
-
-# What's new in Windows 10 Enterprise 2019 LTSC
-
-**Applies to**
-- Windows 10 Enterprise 2019 LTSC
-
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
-
->[!NOTE]
->Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809.
-
-Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
- - Advanced protection against modern security threats
- - Full flexibility of OS deployment
- - Updating and support options
- - Comprehensive device and app management and control capabilities
-
-The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below.
-
->[!IMPORTANT]
->The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
-
-## Microsoft Intune
-
->Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
-
-## Security
-
-This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
-
-### Threat protection
-
-#### Windows Defender ATP
-
-The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
-
-
-
-##### Attack surface reduction
-
-Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
- - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
- - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
-
-###### Windows Defender Firewall
-
-Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead).
-
-##### Windows Defender Device Guard
-
-[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including:
-- Software-based protection provided by code integrity policies
-- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI)
-
-But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control).
-
-### Next-gen protection
-
-#### Office 365 Ransomware Detection
-
-For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
-
-### Endpoint detection and response
-
-Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal.
-
- Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus).
-
- We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on:
-- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus)
-- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus)
-- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus)
-- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features)
-- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus)
-
- Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus).
-
- New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include:
-- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
-- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus)
-- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus)
-
- We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
-
- **Endpoint detection and response** is also enhanced. New **detection** capabilities include:
-- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
- - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
- - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
- - Upgraded detections of ransomware and other advanced attacks.
- - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
-
- **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
-- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
-
-Additional capabilities have been added to help you gain a holistic view on **investigations** include:
- - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
- - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
- - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
- - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
- - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
- - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP.
-
-Other enhanced security features include:
-- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
-- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
-- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
-- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
-- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.
-- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
-
-We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
-
-We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**.
-
-This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
-
-You can read more about ransomware mitigations and detection capability at:
-- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
-- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf)
-- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
-
-Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
-
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
-
-For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf).
-
-### Information protection
-
-Improvements have been added to Windows Information Protection and BitLocker.
-
-#### Windows Information Protection
-
-Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
-
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
-
-You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
-
-This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234).
-
-### BitLocker
-
-The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
-
-#### Silent enforcement on fixed drives
-
-Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI.
-
-This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others.
-
-This feature will soon be enabled on Olympia Corp as an optional feature.
-
-#### Delivering BitLocker policy to AutoPilot devices during OOBE
-
-You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins.
-
-For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
-
-To achieve this:
-
-1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
-2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
- - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
-3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
- - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
-
-### Identity protection
-
-Improvements have been added are to Windows Hello for Business and Credential Guard.
-
-#### Windows Hello for Business
-
-New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present.
-
-New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude:
-- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
-- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
-- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
-
-[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section.
-- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
-- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
-- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
-- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
-- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
-- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
-
-For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
-
-#### Windows Defender Credential Guard
-
-Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
-
-For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
-
-### Other security improvments
-
-#### Windows security baselines
-
-Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10).
-
-**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10).
-
-The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published.
-
-#### SMBLoris vulnerability
-
-An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed.
-
-#### Windows Security Center
-
-Windows Defender Security Center is now called **Windows Security Center**.
-
-You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**.
-
-The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.
-
-WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
-
-
-
-#### Group Policy Security Options
-
-The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
-
-A new security policy setting
-[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
-
-#### Windows 10 in S mode
-
-We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
-
-
-
-## Deployment
-
-### Windows Autopilot
-
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10.
-
-Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information.
-
-Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
-
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices).
-
-#### Windows Autopilot self-deploying mode
-
-Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot.
-
-This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
-
-You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
-
-To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying).
-
-
-#### Autopilot Reset
-
-IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
-
-### MBR2GPT.EXE
-
-MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
-
-The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
-
-Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
-
-For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
-
-### DISM
-
-The following new DISM commands have been added to manage feature updates:
-
- DISM /Online /Initiate-OSUninstall
- – Initiates a OS uninstall to take the computer back to the previous installation of windows.
- DISM /Online /Remove-OSUninstall
- – Removes the OS uninstall capability from the computer.
- DISM /Online /Get-OSUninstallWindow
- – Displays the number of days after upgrade during which uninstall can be performed.
- DISM /Online /Set-OSUninstallWindow
- – Sets the number of days after upgrade during which uninstall can be performed.
-
-For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
-
-### Windows Setup
-
-You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
-
-Prerequisites:
-- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later.
-- Windows 10 Enterprise or Pro
-
-For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
-
-It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
-
- /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]
-
-For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21)
-
-New command-line switches are also available to control BitLocker:
-
- Setup.exe /BitLocker AlwaysSuspend
- – Always suspend bitlocker during upgrade.
- Setup.exe /BitLocker TryKeepActive
- – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.
- Setup.exe /BitLocker ForceKeepActive
- – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.
-
-For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33)
-
-### Feature update improvements
-
-Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/).
-
-### SetupDiag
-
-[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed.
-
-SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
-
-## Sign-in
-
-### Faster sign-in to a Windows 10 shared pc
-
-If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
-
-**To enable fast sign-in:**
-1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC.
-2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
-3. Sign-in to a shared PC with your account. You'll notice the difference!
-
- 
-
-### Web sign-in to Windows 10
-
-Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
-
-**To try out web sign-in:**
-1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
-2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
-3. On the lock screen, select web sign-in under sign-in options.
-4. Click the “Sign in” button to continue.
-
-
-
-## Windows Analytics
-
-### Upgrade Readiness
-
->[!IMPORTANT]
->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
-
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
-
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
-
-For more information about Upgrade Readiness, see the following topics:
-
-- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/)
-- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
-
-Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
-
-### Update Compliance
-
-Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
-
-Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
-
-For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
-
-New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor).
-
-### Device Health
-
-Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
-
-## Accessibility and Privacy
-
-### Accessibility
-
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
-
-### Privacy
-
-In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app.
-
-## Configuration
-
-### Kiosk configuration
-
-Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
-
-If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel.
-
-### Co-management
-
-Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
-
-For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
-
-### OS uninstall period
-
-The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
-
-### Azure Active Directory join in bulk
-
-Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
-
-
-
-### Windows Spotlight
-
-The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
-
-- **Turn off the Windows Spotlight on Action Center**
-- **Do not use diagnostic data for tailored experiences**
-- **Turn off the Windows Welcome Experience**
-
-[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
-
-### Start and taskbar layout
-
-Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
-
-[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
-
-- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
-- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
-- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist).
-
-## Windows Update
-
-### Windows Update for Business
-
-Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
-
-The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-
-
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
-
-WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
-
-Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
-
-The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-
-
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
-
-WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
-
-### Windows Insider for Business
-
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business).
-
-You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business).
-
-
-### Optimize update delivery
-
-With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
-
->[!NOTE]
-> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
-
-Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
-
-Added policies include:
-- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
-- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
-- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
-- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
-- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
-
-To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization)
-
-### Uninstalled in-box apps no longer automatically reinstall
-
-Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
-
-Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC.
-
-## Management
-
-### New MDM capabilities
-
-Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
-
-Some of the other new CSPs are:
-
-- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
-
-- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
-
-- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
-
-- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
-
-- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx).
-
-- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
-
-IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
-
-[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
-
-MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
-
-Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
-
-### Mobile application management support for Windows 10
-
-The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC.
-
-For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
-
-### MDM diagnostics
-
-In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
-
-### Application Virtualization for Windows (App-V)
-
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
-
-For more info, see the following topics:
-- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
-- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
-- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
-- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
-
-### Windows diagnostic data
-
-Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
-
-- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
-- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703)
-
-### Group Policy spreadsheet
-
-Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC.
-
-- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
-
-### Mixed Reality Apps
-
-This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality).
-
-## Networking
-
-### Network stack
-
-Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
-
-### Miracast over Infrastructure
-
-In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
-
-How it works:
-
-Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
-
-Miracast over Infrastructure offers a number of benefits:
-
-- Windows automatically detects when sending the video stream over this path is applicable.
-- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
-- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
-- No changes to current wireless drivers or PC hardware are required.
-- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
-- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
-
-Enabling Miracast over Infrastructure:
-
-If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
-
-- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS.
-- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
- - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
-- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-
-It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
-
-## Registry editor improvements
-
-We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
-
-
-
-## Remote Desktop with Biometrics
-
-Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
-
-To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
-
-- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
-- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
-
-See the following example:
-
-
-
-
-
-## See Also
-
-[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
+---
+title: What's new in Windows 10 Enterprise 2019 LTSC
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: low
+ms.topic: article
+---
+
+# What's new in Windows 10 Enterprise 2019 LTSC
+
+**Applies to**
+- Windows 10 Enterprise 2019 LTSC
+
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+
+>[!NOTE]
+>Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809.
+
+Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
+- Advanced protection against modern security threats
+- Full flexibility of OS deployment
+- Updating and support options
+- Comprehensive device and app management and control capabilities
+
+The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below.
+
+>[!IMPORTANT]
+>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
+
+## Microsoft Intune
+
+>Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
+
+## Security
+
+This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
+
+### Threat protection
+
+#### Windows Defender ATP
+
+The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
+
+
+
+##### Attack surface reduction
+
+Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
+ - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
+ - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
+
+###### Windows Defender Firewall
+
+Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead).
+
+##### Windows Defender Device Guard
+
+[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including:
+- Software-based protection provided by code integrity policies
+- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI)
+
+But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control).
+
+### Next-gen protection
+
+#### Office 365 Ransomware Detection
+
+For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
+
+### Endpoint detection and response
+
+Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal.
+
+ Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus).
+
+ We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on:
+- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus)
+- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus)
+- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus)
+- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features)
+- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus)
+
+ Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus).
+
+ New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include:
+- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
+- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus)
+- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus)
+
+ We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+
+ **Endpoint detection and response** is also enhanced. New **detection** capabilities include:
+- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
+ - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
+ - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
+ - Upgraded detections of ransomware and other advanced attacks.
+ - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
+
+ **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
+- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+ - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
+
+Additional capabilities have been added to help you gain a holistic view on **investigations** include:
+- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+- [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
+- [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
+- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
+- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
+- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP.
+
+Other enhanced security features include:
+- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
+- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
+- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
+- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
+- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.
+- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
+
+We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
+
+We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**.
+
+This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
+
+You can read more about ransomware mitigations and detection capability at:
+- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
+- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf)
+- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
+
+Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
+
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
+For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf).
+
+### Information protection
+
+Improvements have been added to Windows Information Protection and BitLocker.
+
+#### Windows Information Protection
+
+Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
+
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
+
+You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
+
+This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234).
+
+### BitLocker
+
+The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
+
+#### Silent enforcement on fixed drives
+
+Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI.
+
+This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others.
+
+This feature will soon be enabled on Olympia Corp as an optional feature.
+
+#### Delivering BitLocker policy to AutoPilot devices during OOBE
+
+You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins.
+
+For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
+
+To achieve this:
+
+1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
+2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
+ - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
+3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
+ - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
+
+### Identity protection
+
+Improvements have been added are to Windows Hello for Business and Credential Guard.
+
+#### Windows Hello for Business
+
+New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present.
+
+New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude:
+- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
+- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
+- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
+
+[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section.
+- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
+- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
+- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
+- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
+- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
+
+For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
+
+#### Windows Defender Credential Guard
+
+Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+
+Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
+
+For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
+
+### Other security improvments
+
+#### Windows security baselines
+
+Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10).
+
+**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10).
+
+The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published.
+
+#### SMBLoris vulnerability
+
+An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed.
+
+#### Windows Security Center
+
+Windows Defender Security Center is now called **Windows Security Center**.
+
+You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**.
+
+The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.
+
+WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
+
+
+
+#### Group Policy Security Options
+
+The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+
+A new security policy setting
+[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+
+#### Windows 10 in S mode
+
+We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
+
+
+
+## Deployment
+
+### Windows Autopilot
+
+[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10.
+
+Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information.
+
+Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
+
+You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices).
+
+#### Windows Autopilot self-deploying mode
+
+Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot.
+
+This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
+
+You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
+
+To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying).
+
+
+#### Autopilot Reset
+
+IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
+
+### MBR2GPT.EXE
+
+MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+
+The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
+
+Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+
+For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
+
+### DISM
+
+The following new DISM commands have been added to manage feature updates:
+
+ DISM /Online /Initiate-OSUninstall
+ – Initiates a OS uninstall to take the computer back to the previous installation of windows.
+ DISM /Online /Remove-OSUninstall
+ – Removes the OS uninstall capability from the computer.
+ DISM /Online /Get-OSUninstallWindow
+ – Displays the number of days after upgrade during which uninstall can be performed.
+ DISM /Online /Set-OSUninstallWindow
+ – Sets the number of days after upgrade during which uninstall can be performed.
+
+For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
+
+### Windows Setup
+
+You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
+
+Prerequisites:
+- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later.
+- Windows 10 Enterprise or Pro
+
+For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
+
+It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
+
+ /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]
+
+For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21)
+
+New command-line switches are also available to control BitLocker:
+
+ Setup.exe /BitLocker AlwaysSuspend
+ – Always suspend bitlocker during upgrade.
+ Setup.exe /BitLocker TryKeepActive
+ – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.
+ Setup.exe /BitLocker ForceKeepActive
+ – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.
+
+For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33)
+
+### Feature update improvements
+
+Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/).
+
+### SetupDiag
+
+[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed.
+
+SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+
+## Sign-in
+
+### Faster sign-in to a Windows 10 shared pc
+
+If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
+
+**To enable fast sign-in:**
+1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC.
+2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
+3. Sign-in to a shared PC with your account. You'll notice the difference!
+
+ 
+
+### Web sign-in to Windows 10
+
+Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
+
+**To try out web sign-in:**
+1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
+2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
+3. On the lock screen, select web sign-in under sign-in options.
+4. Click the “Sign in” button to continue.
+
+
+
+## Windows Analytics
+
+### Upgrade Readiness
+
+>[!IMPORTANT]
+>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
+
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+
+The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+
+For more information about Upgrade Readiness, see the following topics:
+
+- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/)
+- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
+
+Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+
+### Update Compliance
+
+Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+
+Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+
+For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
+
+New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor).
+
+### Device Health
+
+Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
+
+## Accessibility and Privacy
+
+### Accessibility
+
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
+
+### Privacy
+
+In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app.
+
+## Configuration
+
+### Kiosk configuration
+
+Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
+
+If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel.
+
+### Co-management
+
+Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+
+For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
+
+### OS uninstall period
+
+The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
+
+### Azure Active Directory join in bulk
+
+Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
+
+
+
+### Windows Spotlight
+
+The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
+
+- **Turn off the Windows Spotlight on Action Center**
+- **Do not use diagnostic data for tailored experiences**
+- **Turn off the Windows Welcome Experience**
+
+[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
+
+### Start and taskbar layout
+
+Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
+
+[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
+
+- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
+- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
+- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist).
+
+## Windows Update
+
+### Windows Update for Business
+
+Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
+
+The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
+
+
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+
+WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
+
+Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
+
+The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
+
+
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+
+WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
+
+### Windows Insider for Business
+
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business).
+
+You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business).
+
+
+### Optimize update delivery
+
+With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+
+>[!NOTE]
+> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
+
+Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
+
+Added policies include:
+- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
+- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
+- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
+- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
+- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
+
+To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization)
+
+### Uninstalled in-box apps no longer automatically reinstall
+
+Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
+
+Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC.
+
+## Management
+
+### New MDM capabilities
+
+Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+
+Some of the other new CSPs are:
+
+- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+
+- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
+
+- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
+
+- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
+
+- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx).
+
+- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
+
+IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
+
+[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
+
+MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
+
+Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
+
+### Mobile application management support for Windows 10
+
+The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC.
+
+For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
+
+### MDM diagnostics
+
+In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
+
+### Application Virtualization for Windows (App-V)
+
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+
+For more info, see the following topics:
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
+- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
+- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
+
+### Windows diagnostic data
+
+Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
+
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
+- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703)
+
+### Group Policy spreadsheet
+
+Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC.
+
+- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
+
+### Mixed Reality Apps
+
+This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality).
+
+## Networking
+
+### Network stack
+
+Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
+
+### Miracast over Infrastructure
+
+In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
+
+How it works:
+
+Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+
+Miracast over Infrastructure offers a number of benefits:
+
+- Windows automatically detects when sending the video stream over this path is applicable.
+- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
+- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
+- No changes to current wireless drivers or PC hardware are required.
+- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
+- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
+
+Enabling Miracast over Infrastructure:
+
+If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+
+- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS.
+- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
+ - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+ - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
+- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+
+It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
+
+## Registry editor improvements
+
+We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
+
+
+
+## Remote Desktop with Biometrics
+
+Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+
+To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
+
+- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
+- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
+
+See the following example:
+
+
+
+
+
+## See Also
+
+[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index 7bf5f8b3ee..b4e4f4f224 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -67,7 +67,7 @@ This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/clie
This feature will soon be enabled on Olympia Corp as an optional feature.
-#### Delivering BitLocker policy to AutoPilot devices during OOBE
+#### Delivering BitLocker policy to AutoPilot devices during OOBE
You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins.
](../images/ua-cg-15.png){kind=link}