Merge branch 'master' into vs-win10gdproverview

education/windows/configure-windows-for-education.md

@@ -26,7 +26,7 @@ In Windows 10, version 1703 (Creators Update), it is straightforward to configur
 
 | Area | How to configure | What this does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | 
 | --- | --- | --- | --- | --- | --- |
-| **Diagnostic Data** | **SetEduPolicies** | Sets Diagnostic Data to [Basic](https://technet.microsoft.com/itpro/windows/configure/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set |
+| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set |
 | **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set |
 | **Cortana** | **AllowCortana** | Disables Cortana </br></br> * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
 | **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set |

windows/access-protection/credential-guard/credential-guard-considerations.md

@@ -18,23 +18,77 @@ author: brianlic-msft
 Prefer video? See [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
 in the **Deep Dive into Windows Defender Credential Guard** video series.
      
--  Passwords are still weak so we recommend that your organization deploy Windows Defender Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
--   Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Windows Defender Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
--   As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Windows Defender Credential Guard running.
+Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
    
--   Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
-    -   Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
-    -   Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
-    -   You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Windows Defender Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you won't be able to restore those credentials.
-    - Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported. 
+Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported. 
 
 ## Wi-fi and VPN Considerations
-When you enable Windows Defender Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. 
-
+When you enable Windows Defender Credential Guard, you can no longer use NTLM classic deployment model authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. 
 
 ## Kerberos Considerations
 
-When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
+When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
+
+## 3rd Party Security Support Providers Considerations
+Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
+
+## Upgrade Considerations
+As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard.
+
+### Saved Windows Credentials Protected
+
+Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
+    -   Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
+    -   Applications that extract Windows credentials fail.
+    -   When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
+
+## Clearing TPM Considerations
+Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost.  
+
+>[!WARNING] 
+> Clearing the TPM results in loss of protected data for all features that use VBS to protect data.  <br>
+> When a TPM is cleared ALL features, which use VBS to protect data can no longer decrypt their protected data.
+
+As a result Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever.
+
+>[!NOTE] 
+> Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup. 
+
+### Windows credentials saved to Credential Manager
+Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. 
+
+### Domain-joined device’s automatically provisioned public key
+Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy disabled. For more information on Configuring device to only use public key, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx).
+
+### Breaking DPAPI on domain-joined devices
+On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible. 
+
+>[!IMPORTANT] 
+> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior. <br>
+Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost. 
+
+If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
+
+Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller: 
+
+|Credential Type | Windows 10 version | Behavior                             
+|---|---|---|
+| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. |
+| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
+| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected.
+| Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data.
+
+Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
+
+#### Impact of DPAPI failures on Windows Information Protection
+When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection.  The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened.  If DPAPI is working, then newly created work data is protected and can be accessed.  
+
+**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
+
 
 ## See also
 

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/25/2017
+ms.date: 08/31/2017
 ---
 
 # What's new in MDM enrollment and management
@@ -999,6 +999,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>DeviceGuard/RequirePlatformSecurityFeatures</li>
 <li>DeviceGuard/LsaCfgFlags</li>
 <li>ExploitGuard/ExploitProtectionSettings</li>
+<li>Games/AllowAdvancedGamingServices</li>
 <li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
@@ -1043,6 +1044,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Education/PreventAddingNewPrinters</li>
 <li>Education/PrinterNames</li>
 <li>Security/ClearTPMIfNotReady</li>
+<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</li>
 <li>Update/DisableDualScan</li>
 <li>Update/ScheduledInstallEveryWeek</li>
 <li>Update/ScheduledInstallFirstWeek</li>
@@ -1421,6 +1423,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>Browser/ProvisionFavorites</li>
 <li>Browser/LockdownFavorites</li>
 <li>ExploitGuard/ExploitProtectionSettings</li>
+<li>Games/AllowAdvancedGamingServices</li>
 <li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
@@ -1448,6 +1451,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>Privacy/EnableActivityFeed</li>
 <li>Privacy/PublishUserActivities</li>
 <li>Update/DisableDualScan</li>
+<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</li>
 </ul>
 <p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
 <p>Changed the names of the following policies:</p>

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -2718,6 +2718,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-update.md#update-allowautoupdate" id="update-allowautoupdate">Update/AllowAutoUpdate</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork" id="update-allowautowindowsupdatedownloadovermeterednetwork">Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</a>
+  </dd>
   <dd>
     <a href="./policy-csp-update.md#update-allowmuupdateservice" id="update-allowmuupdateservice">Update/AllowMUUpdateService</a>
   </dd>

windows/client-management/mdm/policy-csp-games.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/30/2017
+ms.date: 08/31/2017
 ---
 
 # Policy CSP - Games
@@ -22,9 +22,36 @@ ms.date: 08/30/2017
 <!--StartPolicy-->
 <a href="" id="games-allowadvancedgamingservices"></a>**Games/AllowAdvancedGamingServices**  
 
-<!--StartDescription-->
-<p style="margin-left: 20px">Placeholder only. Currently not supported.
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
 
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer.
+
+- 0 - Not Allowed
+- 1 (default) - Allowed
+
+<p style="margin-left: 20px">This policy can only be turned off in Windows 10 Education and Enterprise editions.
 <!--EndDescription-->
 <!--EndPolicy-->
 <hr/>

windows/client-management/mdm/policy-csp-update.md

@@ -176,6 +176,43 @@ ms.date: 08/30/2017
 
 <p style="margin-left: 20px">If the policy is not configured, end-users get the default behavior (Auto install and restart).
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-allowautowindowsupdatedownloadovermeterednetwork"></a>**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer.  
+
+- 0 (default) - Not allowed
+- 1 - Allowed
+
+A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.
+
+This policy is accessible through the Update setting in the user interface or Group Policy.
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->

windows/deployment/TOC.md

@@ -221,6 +221,9 @@
 ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
 #### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md)
 #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
+#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md)
+##### [Keep your current Windows 10 edition](update/olympia/enrollment-keep-current-edition.md)
+##### [Upgrade your Windows 10 edition from Pro to Enterprise](update/olympia/enrollment-upgrade-to-enterprise.md)
 ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
 
 ## Windows Analytics

windows/deployment/update/device-health-get-started.md

@@ -39,37 +39,37 @@ Online Crash Analysis | oca.telemetry.microsoft.com
 
 Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). 
 
-**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace.
+**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)  and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
 
 **If you are not yet using OMS**, use the following steps to subscribe to OMS Device Health:
 
 1.	Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
-   [![](images/uc-02a.png)](images/uc-02.png)
+   [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png)
 
 
 2.	Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-   [![](images/uc-03a.png)](images/uc-03.png)
+   [![OMS Sign-in dialog box for account name and password](images/uc-03a.png)](images/uc-03.png)
 
 
 3.	Create a new OMS workspace.
 
-     [![](images/uc-04a.png)](images/uc-04.png)
+     [![OMS dialog with buttons to create a new OMS workspace or cancel](images/uc-04a.png)](images/uc-04.png)
 
 4.	Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
 
-    [![](images/uc-05a.png)](images/uc-05.png)
+    [![OMS Create New Workspace dialog](images/uc-05a.png)](images/uc-05.png)
 
 5.	If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
 
-    [![](images/uc-06a.png)](images/uc-06.png)
+    [![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png)](images/uc-06.png)
 
-6.	To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page. 
+6.	To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
 
-    [![](images/uc-08a.png)](images/uc-08.png)
+    [![Windows Analytics details page in Solutions Gallery](images/solution-bundle.png)](images/solution-bundle.png)
 
-7.	Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens.
+7.	Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added.
 
-    [![](images/uc-09a.png)](images/uc-09.png)
+    [![OMS Settings Dashboard showing Device Health and Upgrade Readiness tiles](images/OMS-after-adding-solution.jpg)](images/OMS-after-adding-solution.jpg)
 
 
 
@@ -89,7 +89,7 @@ In order for your devices to show up in Windows Analytics: Device Health, they m
     3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.<P>
 
 - Using Microsoft Mobile Device Management (MDM)<BR><BR>
-Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).  
+Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. You can find more information on deployment using MDM at the [DMClient Configuration Service Provider topic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).  
 
 ## Perform checks to ensure and verify successful deployment
 

windows/deployment/update/olympia/enrollment-keep-current-edition.md

@@ -0,0 +1,44 @@
+---
+title: Keep your current Windows 10 edition
+description: Olympia Corp enrollment - Keep your current Windows 10 edition
+ms.author: nibr
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 09/01/2017
+---
+
+# Olympia Corp enrollment
+
+## Keep your current Windows 10 edition
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+
+    ![Settings -> Accounts](images/1-1.png)
+
+2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+
+3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+
+    ![Set up a work or school account](images/1-3.png)
+
+4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+
+    > [!NOTE]
+    > Passwords should contain 8-16 characters, including at least one special character or number.
+
+    ![Update your password](images/1-4.png)
+
+5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
+
+6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details.
+
+7. Create a PIN for signing into your Olympia corporate account.
+
+8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+
+    > [!NOTE]
+    > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
+
+9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.

windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md

@@ -0,0 +1,57 @@
+---
+title: Upgrade your Windows 10 edition from Pro to Enterprise
+description: Olympia Corp enrollment - Upgrade your Windows 10 edition from Pro to Enterprise
+ms.author: nibr
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 09/01/2017
+---
+
+# Olympia Corp enrollment
+
+## Upgrade your Windows 10 edition from Pro to Enterprise
+
+1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
+
+    ![Settings -> Accounts](images/1-1.png)
+
+2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+	
+3. Click **Connect**, then click **Join this device to Azure Active Directory**.
+
+    ![Update your password](images/2-3.png)
+
+4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+
+    ![Set up a work or school account](images/2-4.png)
+
+5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+
+    > [!NOTE]
+    > Passwords should contain 8-16 characters, including at least one special character or number.
+
+    ![Update your password](images/2-5.png)
+
+6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+
+7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details.
+
+8. Create a PIN for signing into your Olympia corporate account.
+
+9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+
+10. Restart your PC.
+
+11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*.
+
+12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+
+    > [!NOTE]
+    > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
+
+13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
+
+\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia.
+

windows/deployment/update/olympia/olympia-enrollment-guidelines.md

@@ -0,0 +1,22 @@
+---
+title: Olympia Corp enrollment guidelines
+description: Olympia Corp enrollment guidelines
+ms.author: nibr
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 09/01/2017
+---
+
+# Olympia Corp enrollment guidelines
+
+Welcome to Olympia Corp. Here are the steps to add your account to your PC.
+
+As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade.
+
+Choose one of the following two enrollment options:
+
+1. [Keep your current Windows 10 edition](./enrollment-keep-current-edition.md)
+
+2. [Upgrade your Windows 10 edition from Pro to Enterprise](./enrollment-upgrade-to-enterprise.md)

windows/deployment/update/update-compliance-get-started.md

@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
-author: greg-lindsay
+author: jaimeo
 ---
 
 # Get started with Update Compliance
@@ -39,61 +39,61 @@ Online Crash Analysis | oca.telemetry.microsoft.com
 
 Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). 
 
-If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace.
+If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)  and [Device Health](device-health-monitor.md) solutions as well, if you haven't already.
 
 If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
 
 1.	Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
 
 
-   [![](images/uc-02a.png)](images/uc-02.png)
+   [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png)
 
 
 2.	Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
 
 
-   [![](images/uc-03a.png)](images/uc-03.png)
+   [![OMS Sign-in dialog box for account name and password](images/uc-03a.png)](images/uc-03.png)
 
 
 3.	Create a new OMS workspace. 
 
 
-   [![](images/uc-04a.png)](images/uc-04.png)
+   [![OMS dialog with buttons to create a new OMS workspace or cancel](images/uc-04a.png)](images/uc-04.png)
  
 4.	Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
 
 
-   [![](images/uc-05a.png)](images/uc-05.png)
+   [![OMS Create New Workspace dialog](images/uc-05a.png)](images/uc-05.png)
 
 
 5.	If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
 
 
-   [![](images/uc-06a.png)](images/uc-06.png)
+   [![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png)](images/uc-06.png)
 
 
-6.	To add the Update Compliance solution to your workspace, go to the Solutions Gallery.
+6.	To add the Update Compliance solution to your workspace, go to the Solutions Gallery.  While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
 
 
-   [![](images/uc-07a.png)](images/uc-07.png)
+   [![OMS workspace with Solutions Gallery tile highlighted](images/uc-07a.png)](images/uc-07.png)
 
 
 7.	Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace. 
 
  
-   [![](images/uc-08a.png)](images/uc-08.png)
+   [![Workspace showing Solutions Gallery](images/uc-08a.png)](images/uc-08.png)
 
 
 8.	Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
 
 
-   [![](images/uc-09a.png)](images/uc-09.png)
+   [![OMS workspace with new Update Compliance tile on the right side highlighted](images/uc-09a.png)](images/uc-09.png)
 
 
 9.	Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
 
 
-   [![](images/uc-10a.png)](images/uc-10.png)
+   [![Series of blades showing Connected Sources, Windows Telemetry, and Upgrade Analytics solution with Subscribe button](images/uc-10a.png)](images/uc-10.png)
 
 
 After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.

windows/deployment/upgrade/upgrade-readiness-get-started.md

@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
-author: greg-lindsay
+author: jaimeo
 ---
 
 # Get started with Upgrade Readiness
@@ -43,7 +43,7 @@ Upgrade Readiness is offered as a solution in the Microsoft Operations Managemen
 >[!IMPORTANT]
 >Upgrade Readiness is a free solution.  When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure.  Upgrade Readiness data **do not** count toward OMS daily upload limits.
 
-If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace.
+If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
 
 If you are not using OMS:
 
@@ -54,9 +54,9 @@ If you are not using OMS:
 
     > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
 
-1.  To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness.
+5.  To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness.
 
-2.  Click the **Upgrade Readiness** tile to configure the solution. The **Settings Dashboard** opens.
+6.  Click the **Upgrade Readiness** tile to configure the solution. The **Settings Dashboard** opens.
 
 ### Generate your commercial ID key
 
@@ -64,7 +64,7 @@ Microsoft uses a unique commercial ID to map information from user computers to
 
 1.  On the Settings Dashboard, navigate to the **Windows telemetry** panel.
 
-    ![upgrade-readiness-telemetry](../images/upgrade-analytics-telemetry.png)
+    ![Windows Telemetry dialog showing button for "how to enable telemetry," the current commercial ID key, and a Subsribe button](../images/upgrade-analytics-telemetry.png)
 
 2. On the Windows telemetry panel, copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Readiness deployment script later so it can be deployed to user computers.
 

windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md

@@ -2,7 +2,7 @@
 title: Use Upgrade Readiness to manage Windows upgrades (Windows 10)
 description: Describes how to use Upgrade Readiness to manage Windows upgrades.
 ms.prod: w10
-author: greg-lindsay
+author: jaimeo
 ---
 
 # Use Upgrade Readiness to manage Windows upgrades
@@ -14,7 +14,7 @@ You can use Upgrade Readiness to prioritize and work through application and dri
 
 When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks. 
 
-<A HREF="../images/ua-cg-15.png">![Workflow](../images/ua-cg-15.png)</A>
+<A HREF="../images/ua-cg-15.png">![Series of blades showing Upgrade Overview, Step 1: Identify Important Apps, Prioritize Applications, Step 2: Resolve issues, and Review applications with known issues](../images/ua-cg-15.png)</A>
 
 Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step.
 
@@ -35,7 +35,7 @@ Also see the following topic for information about additional items that can be
 
 The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example:
 
-![Target version](../images/ur-target-version.png)
+![Upgrade overview showing target version](../images/ur-target-version.png)
 
 As mentioned previously, the default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. 
 
@@ -45,10 +45,10 @@ You now have the ability to change the Windows 10 version you wish to target. Th
 
 To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
 
-![Target version](../images/ua-cg-08.png)
+![Upgrade Readiness dialog showing gear labeled Solution Settings](../images/ua-cg-08.png)
 
 >You must be signed in to Upgrade Readiness as an administrator to view settings.
 
 On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
 
-![Target version](../images/ur-settings.png)
+![Upgrade Readiness Settings dialog showing gear labeled Save and arrow labeled Cancel](../images/ur-settings.png)