Merge remote-tracking branch 'refs/remotes/origin/rs1' into jdrs

.gitignore

@@ -9,4 +9,4 @@ Tools/NuGet/
 .openpublishing.build.mdproj
 .openpublishing.buildcore.ps1
 packages.config
-*.zip
+windows/keep-secure/index.md

.localization-config

@@ -1,21 +0,0 @@
-{ 
-
-  "filters": [ 
-
-    { 
-      "metadata": { 
-        "localizationpriority": [ "high" ] 
-                  }
-    }
-],
-
-  "locales": [ "ja-jp", "de-de", "fr-fr", "zh-cn", "zh-tw", "ko-kr", "es-es", "it-it", "ru-ru", "pt-br" ],
-  "files": ["!/*.md", "**/**/*.md", "**/*.md"],
-  "includeDependencies": true, 
-  "autoPush": true, 
-  "xliffVersion": "2.0",
-  "useJavascriptMarkdownTransformer": true,
-  "markdownTransformerOptions": { 
-    "lockBackslashEscapeChars": false
-  }
-} 

browsers/edge/Index.md

@@ -26,6 +26,7 @@ Microsoft Edge lets you stay up-to-date through the Windows Store and to manage
 | Topic                  | Description                         |
 | -----------------------| ----------------------------------- |
 |[Change history for Microsoft Edge](change-history-for-microsoft-edge.md) |Lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile. |
+|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Guidance about how to use both Microsoft Edge and Internet Explorer 11 in your enterprise.|
 | [Microsoft Edge requirements and language support](hardware-and-software-requirements.md) | Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.|
 | [Available policies for Microsoft Edge](available-policies.md)  | Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. <p>Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. |
 | [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) | If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. <p>Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. |

browsers/edge/TOC.md

@@ -1,5 +1,6 @@
 #[Microsoft Edge - Deployment Guide for IT Pros](index.md)
 ##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md)
+##[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
 ##[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)
 ##[Available policies for Microsoft Edge](available-policies.md)
 ##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md)

browsers/edge/change-history-for-microsoft-edge.md

@@ -11,6 +11,13 @@ This topic lists new and updated topics in the Microsoft Edge documentation for
 
 For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/en-us/microsoft-edge/platform/changelog/).
 
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. |
+|[Available policies for Microsoft Edge](available-policies.md) |Updated |
+
+
 ## June 2016
 |New or changed topic | Description |
 |----------------------|-------------|

browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md

@@ -0,0 +1,51 @@
+---
+title: Microsoft Edge and Internet Explorer 11 (Microsoft Edge for IT Pros)
+description: Enterprise guidance for using Microsoft Edge and Internet Explorer 11.
+ms.assetid: 3c5bc4c4-1060-499e-9905-2504ea6dc6aa
+author: eross-msft
+ms.prod: edge
+ms.mktglfcycl: support
+ms.sitesec: library
+ms.pagetype: appcompat
+---
+
+# Browser: Microsoft Edge and Internet Explorer 11
+**Microsoft Edge content applies to:**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+**Internet Explorer 11 content applies to:**
+
+-   Windows 10
+
+## Enterprise guidance
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
+
+We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
+
+### Microsoft Edge
+Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
+
+-   **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
+-   **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
+-   **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
+-   **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
+
+### IE11
+IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
+
+-   **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
+-   **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
+-   **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
+-   **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
+-   **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
+-   **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
+
+## Related topics
+- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
+- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
+- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
+- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
+- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
+- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)

browsers/internet-explorer/TOC.md

@@ -1,4 +1,5 @@
 #[IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md)
+##[Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md)
 ##[System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md)
 ##[List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md)
 ##[Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md)

browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md

@@ -1,6 +1,6 @@
 ---
-title: Change history for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-description: This topic lists new and updated topics in the Internet Explorer 11 documentation for Windows 10 and Windows 10 Mobile.
+title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
+description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
 ms.prod: ie11
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -9,8 +9,18 @@ ms.sitesec: library
 # Change history for Internet Explorer 11
 This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
 
-## May 2016
-
+##July 2016
 |New or changed topic | Description |
 |----------------------|-------------|
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
+
+## June 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. |
+
+
+## May 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |

browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md

@@ -12,22 +12,65 @@ title: New group policy settings for Internet Explorer 11 (Internet Explorer 11
 # New group policy settings for Internet Explorer 11
 Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including:
 
-|Policy                     |Category path                 |Supported on |Explanation                        |
-|---------------------------|------------------------------|-------------|-----------------------------------|
-|Turn off loading websites and content in the background to optimize performance |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |IE11 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.<p>If you enable this policy setting, IE doesn't load any websites or content in the background.<p>If you disable this policy setting, IE preemptively loads websites and content in the background.<p>If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. |
-|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |`Administrative Templates\Windows Components\Internet Explorer` |IE11 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.<p>If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. |
-|Turn off phone number detection |`Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing` |IE11 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.<p>If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.<p>If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. |
-|Allow IE to use the HTTP2 network protocol |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |IE11 on Windows 8.1 |This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.<p>If you enable this policy setting, IE uses the HTTP2 network protocol.<p>If you disable this policy setting, IE won't use the HTTP2 network protocol.<p>If you don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Internet Options settings. The default is on. |
-|Don't run antimalware programs against ActiveX controls<br>(Internet, Restricted Zones) |<ul><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone`</li></ul> |IE11 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using IE Security settings. |
-|Don't run antimalware programs against ActiveX controls<br>(Intranet, Trusted, Local Machine Zones) |<ul><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone`</li><li>`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone`</li></ul> |IE11 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using IE Security settings. |
-|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |IE11 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>**Important:**<br> Some ActiveX controls and toolbars may not be available when 64-bit processes are used.<p>If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default. |
-|Turn off sending UTF-8 query strings for URLs |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |IE11 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.<p>If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:<ul><li><b>0.</b> Never encode query strings.</li><li><b>1.</b> Only encode query strings for URLs that aren't in the Intranet zone.</li><li><b>2.</b> Only encode query strings for URLs that are in the Intranet zone.</li><li><b>3.</b> Always encode query strings.</li></ul>If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. |
-|Turn off sending URL path as UTF-8 |`User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding` |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.<p>If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.<p>If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off. |
-|Turn off the flip ahead with page prediction feature |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.<p>Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop.<p>If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.<p>If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.<p>If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm. |
-|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |`Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History` |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**<br>This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the Personalized Tracking Protection List, which blocks third-party items while the user is browsing.<p>**In IE11:**<br>This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions stored for visited website.<p>This feature is available in the **Delete Browsing History** dialog box.<p>If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.<p>If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.<p>If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. |
-|Always send Do Not Track header |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.<p>If you enable this policy setting, IE sends a DNT:1 header with all HTTP and HTTPS requests. The DNT:1 header signals to the servers not to track the user.<p>**In Internet Explorer 9 and 10:**<br>If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.<p>**In at least IE11:**<br>If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.<p>If you don't configure the policy setting, users can select the Always send Do Not Track header option on the Advanced tab of the Internet Options dialog box. By selecting this option, IE sends a DNT:1 header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a DNT:0 header. By default, this option is enabled. |
-|Let users turn on and use Enterprise Mode from the **Tools** menu |`Administrative Templates\Windows Components\Internet Explorer` |IE11 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.<p>If you turn this setting on, users can see and use the Enterprise Mode option from the **Tools** menu. If you turn this setting on, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.<p>If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. |
-|Use the Enterprise Mode IE website list |`Administrative Templates\Windows Components\Internet Explorer` |IE11 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.<p>If you enable this policy setting, IE downloads the website list from `HKCU` or `HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server (https://), to help protect against data tampering.<p>If you disable or don’t configure this policy setting, IE opens all websites using Standard mode. |
+|Policy |Category Path |Supported on |Explanation |
+|-------|--------------|-------------|------------|
+|Turn off loading websites and content in the background to optimize performance |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.<p>If you enable this policy setting, IE doesn't load any websites or content in the background.<p>If you disable this policy setting, IE preemptively loads websites and content in the background.<p>If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. |
+|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.<p>If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.<p>If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. |
+|Turn off phone number detection |Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing |IE11 on Windows 10 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.<p>If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.<p>If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. |
+|Allow IE to use the SPDY/3 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.<p>If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.<p>If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.<p>If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced* tab of the **Internet Options** dialog box. The default is on.<p>**Note**<br>We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. |
+|Allow IE to use the HTTP2 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.<p>If you enable this policy setting, IE uses the HTTP2 network protocol.<p>If you disable this policy setting, IE won't use the HTTP2 network protocol.<p>If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. |
+|Don't run antimalware programs against ActiveX controls<br>(Internet, Restricted Zones) |<ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone</li></ul> |IE11 on Windows 10 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. |
+|Don't run antimalware programs against ActiveX controls<br>(Intranet, Trusted, Local Machine Zones) |<ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone</li></ul> |IE11 on Windows 10 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. |
+|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.<p>If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.<p>**Important**<br>When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
+|Turn off sending UTF-8 query strings for URLs |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.<p>If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:<ul><li>**0.** Never encode query strings.</li><li>**1.** Only encode query strings for URLs that aren't in the Intranet zone.</li><li>**2.** Only encode query strings for URLs that are in the Intranet zone.</li><li>**3.** Always encode query strings.</li></ul><p>If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. |
+|Turn off sending URL path as UTF-8 |User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.<p>If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.<p>If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.<p>If you don't configure this policy setting, users can turn this behavior on or off. |
+|Turn off the flip ahead with page prediction feature |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.<p>If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.<p>If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.<p>If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.<p>**Note**<br>Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
+|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**<br>This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.<p>**In IE11:**<br>This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.<p>If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.<p>If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.<p>If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. |
+|Always send Do Not Track header |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.<p>If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.<p>**In Internet Explorer 9 and 10:**<br>If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.<p>**In at least IE11:**<br>If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.<p>If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced* tab of the **Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
+|Turn off the ability to launch report site problems using a menu option |Administrative Templates\Windows Components\Internet Explorer\Browser menus |Internet Explorer 11 |This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.<p>If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.<p>If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. |
+|Allow only approved domains to use the TDC ActiveX control |<ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone</li></ul> |IE11 in Windows 10 |This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.<p>If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.<p>If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. |
+|Turn on Site Discovery XML output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.<p>**Note:**<br>Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Turn on Site Discovery WMI output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.<p>**Note:**<br>Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Limit Site Discovery output by Domain |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.<p>**Note:**<br>You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
+|Limit Site Discovery output by Zone |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.<p>If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.<p>To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:<ul><li>0 – Restricted Sites zone</li><li>0 – Internet zone</li><li>0 – Trusted Sites zone</li><li>0 – Local Intranet zone</li><li>0 – Local Machine zone</li></ul><br>**Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:<br><ul><li>0 – Restricted Sites zone</li><li>0 – Internet zone</li><li>0 – Trusted Sites zone</li><li>1 – Local Intranet zone</li><li>0 – Local Machine zone</li></ul><br>**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:<br><ul><li>1 – Restricted Sites zone</li><li>0 – Internet zone</li><li>1 – Trusted Sites zone</li><li>1 – Local Intranet zone</li><li>1 – Local Machine zone</li></ul><p>**Note:**<br>You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
+|Allow SSL3 Fallback |Administrative Templates\Windows Components\Internet Explorer\Security Features |Internet Explorer 11 on Windows 10 |This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.<p>If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.<p>If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.**Important:**<br>By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. |
+|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.<p>If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.<p>If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.<p>**Important:**<br>Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. |
+|Let users turn on and use Enterprise Mode from the **Tools** menu |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.<p>If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.<p>If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. |
+|Use the Enterprise Mode IE website list |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1511 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.<p>If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.<p>If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
+|Send all sites not included in the Enterprise Mode Site List to Microsoft Edge |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.<p>If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.<p>If you disable or don't configure this policy setting, all sites will open based on the currently active browser.<p>**Note:**<br>If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. |
+|Show message when opening sites in Microsoft Edge using Enterprise Mode |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.<p>If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.<p>If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 ## Removed Group Policy settings
 IE11 no longer supports these Group Policy settings:
@@ -45,16 +88,9 @@ IE11 no longer supports these Group Policy settings:
 ## Viewing your policy settings
 After you've finished updating and deploying your Group Policy, you can use the Resultant Set of Policy (RSoP) snap-in to view your settings.
 
- ![](images/wedge.gif) **To use the RSoP snap-in**
+**To use the RSoP snap-in**
 
 1.  Open and run the Resultant Set of Policy (RSoP) wizard, specifying the information you want to see.
 
 2.  Open your wizard results in the Group Policy Management Console (GPMC).<p>
-For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](http://go.microsoft.com/fwlink/p/?LinkId=395201)
-
- 
-
- 
-
-
-
+For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](http://go.microsoft.com/fwlink/p/?LinkId=395201)

devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md

@@ -8,7 +8,6 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: TrudyHa
-localizationpriority: high
 ---
 
 # Appendix: PowerShell (Surface Hub)

devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md

@@ -34,7 +34,7 @@ Provisioning packages are created using Windows Imaging and Configuration Design
 
 ### <a href="" id="what-can-prov-pkg"></a>What can provisioning packages configure for Surface Hubs?
 
-Currently, you can use provisioning packages to install certificates and to install Universal App Platform (UAP) apps on your Surface Hub. These are the only two supported scenarios.
+Currently, you can use provisioning packages to install certificates and to install Universal Windows Platform (UWP) apps on your Surface Hub. These are the only two supported scenarios.
 
 You may use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange or Skype for Business, or to sideload apps that don't come from the Windows Store (for example, your own in-house apps).
 

education/windows/TOC.md

@@ -1,5 +1,6 @@
 # [Windows 10 for education](index.md)
 ## [Change history for Windows 10 for Education](change-history-edu.md)
+## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
 ## [Setup options for Windows 10](set-up-windows-10.md)
 ### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
 ### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
@@ -11,6 +12,7 @@
 ## [Take tests in Windows 10 ](take-tests-in-windows-10.md)
 ### [Set up Take a Test on a single PC ](take-a-test-single-pc.md)
 ### [Set up Take a Test on multiple PCs ](take-a-test-multiple-pcs.md)
-### [Take a Test app technical reference ](take-a-test-app-technical.md) 
+### [Take a Test app technical reference ](take-a-test-app-technical.md)
+## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
 ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
-## [Chromebook migration guide](chromebook-migration-guide.md)
+## [Chromebook migration guide](chromebook-migration-guide.md)

education/windows/change-history-edu.md

@@ -12,8 +12,8 @@ author: jdeckerMS
 
 This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
 
-## RELEASE: Windows 10, version 1607
 
+## RELEASE: Windows 10, version 1607
 The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: 
 
 - [Set up Windows 10](set-up-windows-10.md)
@@ -21,6 +21,13 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 - [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
 
 
+## July 2016
+
+| New or changed topic | Description|
+| --- | --- |
+| [Windows 10 editions for education customers](windows-editions-for-education-customers.md)  | New |
+
+
 ## June 2016
 
 | New or changed topic | Description |

education/windows/index.md

@@ -17,10 +17,11 @@ author: jdeckerMS
 
 |Topic |Description |
 |------|------------|
-| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Learn how the **Set up School PCs** app works and how to use it.  |
-| [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md) | See the changes that the **Set up School PCs** app makes to a PC.  |
+| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education.  |
+| [Provisioning options for Windows 10](set-up-windows-10.md) | Learn about your options for setting up Windows 10.  |
 | [Get Minecraft Education Edition](get-minecraft-for-education.md) | Learn how to get early access to **Minecraft Education Edition**. |
 | [Take tests in Windows 10](take-tests-in-windows-10.md) | Learn how to configure and use the **Take a Test** app in Windows 10 |
+| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. |
 | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. |
 | [Chromebook migration guide](chromebook-migration-guide.md) | Learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. |
 

education/windows/windows-editions-for-education-customers.md

@@ -0,0 +1,54 @@
+---
+title: Windows 10 editions for education customers
+description: Provides an overview of the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions.
+keywords: Windows 10 Pro Education, Windows 10 Education, Windows 10 editions, education customers
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: CelesteDG
+---
+
+# Windows 10 editions for education customers
+**Applies to:**
+
+-   Windows 10
+
+Windows 10 Anniversary Update (Windows 10, version 1607) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](http://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](http://go.microsoft.com/fwlink/?LinkId=822620).
+
+Windows 10, version 1607 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](http://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](http://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information about Windows 10, version 1607 on [windows.com](http://www.windows.com/).
+
+Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
+
+## Windows 10 Pro Education
+
+Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings, including the removal of Cortana<sup>1</sup>. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627).
+
+Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future).
+
+Existing devices running Windows 10 Pro, currently activated with the original OEM digital product key and purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future), will upgrade automatically to Windows 10 Pro Education as part of the Windows 10, version 1607 installation.
+
+Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), available at a later date.
+
+Customers that deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [MManage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](http://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
+
+## Windows 10 Education
+
+Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings, including the removal of Cortana<sup>1</sup>. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627).
+
+Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you do not have access to Windows 10 Education, contact your Microsoft representative or see more information [here](http://go.microsoft.com/fwlink/?LinkId=822628).
+
+Customers that deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](http://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
+
+For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
+
+## Related topics
+* [Windows deployment for education](http://aka.ms/edudeploy)
+* [Windows 10 upgrade paths](http://go.microsoft.com/fwlink/?LinkId=822787)
+* [Volume Activation for Windows 10](http://go.microsoft.com/fwlink/?LinkId=822788)
+* [Plan for volume activation](http://go.microsoft.com/fwlink/?LinkId=822789)
+
+
+
+
+<sup>1</sup> <small>Cortana available in select markets; experience may vary by region and device.  Cortana is disabled in the Windows 10 Pro Education and Windows 10 Education editions.</small>

windows/deploy/TOC.md

@@ -1,5 +1,15 @@
 # [Deploy Windows 10](index.md)
 ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+## [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md)
+### [Upgrade Analytics architecture](upgrade-analytics-architecture.md)
+### [Upgrade Analytics requirements](upgrade-analytics-requirements.md)
+### [Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
+### [Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
+### [Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md)
+#### [Prepare your environment](upgrade-analytics-prepare-your-environment.md)
+#### [Resolve application and driver issues](upgrade-analytics-resolve-issues.md)
+#### [Deploy Windows](upgrade-analytics-deploy-windows.md)
+### [Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
 ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
 ### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
 #### [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)

windows/deploy/change-history-for-deploy-windows-10.md

@@ -19,6 +19,10 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 - [Provision PCs with apps and certificates for initial deployment](provision-pcs-with-apps-and-certificates.md)
 - [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md)
 
+## July 2016
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) | New |
 
 ## June 2016
 | New or changed topic | Description |
@@ -48,12 +52,3 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 - [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
 - [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
 - [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
-
- 
-
- 
-
-
-
-
-

windows/deploy/configure-a-pxe-server-to-load-windows-pe.md

@@ -59,6 +59,8 @@ All four of the roles specified above can be hosted on the same computer or each
     ```
     Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
     ```
+    Verify that "The operation completed successfully" is displayed. Note: To view currently mounted images, type **dism /get-MountedWiminfo**. 
+
 5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of **\\\PXE-1\TFTPRoot**:
 
     ```
@@ -66,7 +68,7 @@ All four of the roles specified above can be hosted on the same computer or each
     y:
     md boot
     ```
-6. Copy the PXE boot files from the mounted directory to the \Boot folder. For example:
+6. Copy the PXE boot files from the mounted directory to the \boot folder. For example:
 
     ```
     copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot
@@ -76,11 +78,16 @@ All four of the roles specified above can be hosted on the same computer or each
     ```
     copy C:\winpe_amd64\media\boot\boot.sdi y:\boot
     ```
-8.  Copy the bootable Windows PE image (boot.wim) to the \Boot folder.
+8.  Copy the bootable Windows PE image (boot.wim) to the \boot folder.
 
     ```
     copy C:\winpe_amd64\media\sources\boot.wim y:\boot
     ```
+9. (Optional) Copy true type fonts to the \boot folder
+
+    ```
+    copy C:\winpe_amd64\media\Boot\Fonts y:\boot\Fonts
+    ```
 
 ## Step 2: Configure boot settings and copy the BCD file
 
@@ -93,29 +100,37 @@ All four of the roles specified above can be hosted on the same computer or each
 
     ```
     bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
-    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice partition=C:
-    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \winpe_amd64\media\boot\boot.sdi
+    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot
+    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \boot\boot.sdi
+    bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader
     ```
+    The last command will return a GUID, for example:
+    ```
+    The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created. 
+    ```
+    Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID.
+
 3.  Create a new boot application entry for the Windows PE image:
 
     ```
-    bcdedit /store c:\BCD /set {GUID1} device ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} 
+    bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} 
     bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe 
-    bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} 
+    bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} 
     bcdedit /store c:\BCD /set {GUID1} systemroot \windows
     bcdedit /store c:\BCD /set {GUID1} detecthal Yes
     bcdedit /store c:\BCD /set {GUID1} winpe Yes
     ```
-4.  Configure BOOTMGR settings:
+4.  Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID):
 
     ```
+    bcdedit /store c:\BCD /create {bootmgr} /d "boot manager"
     bcdedit /store c:\BCD /set {bootmgr} timeout 30 
     bcdedit /store c:\BCD -displayorder {GUID1} -addlast
     ```
 5.  Copy the BCD file to your TFTP server:
 
     ```
-    copy c:\BCD \\PXE-1\TFTPRoot\Boot
+    copy c:\BCD \\PXE-1\TFTPRoot\boot\BCD
     ```
 
 Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below.
@@ -151,10 +166,11 @@ ramdisksdipath          \boot\boot.sdi
 
 The following summarizes the PXE client boot process.
 
-1.  A client is directed by DHCP options 066 and 067 to download boot\\wdsnbp.com from the TFTP server.
-2.  Wdsnbp.com validates the DHCP/PXE response packet and then the client downloads boot\\pxeboot.com.
-3.  Pxeboot.com requires the client to press the F12 key to initiate a PXE boot.
-4.  The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD.
+>The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](https://technet.microsoft.com/en-us/library/cc732351.aspx).
+
+1.  A client is directed by DHCP options 066 and 067 to download boot\\PXEboot.n12 from the TFTP server.
+2.  PXEboot.n12 immediately begins a network boot.
+3.  The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD.
 5.  Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present.
 6.  Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image.
 7.  Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE.

windows/deploy/index.md

@@ -16,6 +16,7 @@ Learn about deploying Windows 10 for IT professionals.
 |Topic |Description |
 |------|------------|
 |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
+|[Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) |With Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
 |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
 |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
 |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |

windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md

@@ -0,0 +1,57 @@
+---
+title: Manage Windows upgrades with Upgrade Analytics (Windows 10)
+description: Provides an overview of the process of managing Windows upgrades with Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Manage Windows upgrades with Upgrade Analytics
+
+Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
+
+With the release of Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.  
+
+Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. 
+
+With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+
+Use Upgrade Analytics to get:
+
+-   A visual workflow that guides you from pilot to production
+
+-   Detailed computer and application inventory
+
+-   Powerful computer level search and drill-downs
+
+-   Guidance and insights into application and driver compatibility issues, with suggested fixes
+
+-   Data driven application rationalization tools
+
+-   Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+
+-   Data export to commonly used software deployment tools, including System Center Configuration Manager
+
+The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+
+**Important**  For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+
+- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
+
+- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+
+- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](http://go.microsoft.com/fwlink/?LinkID=822965)
+
+##**Related topics**
+
+[Upgrade Analytics architecture](upgrade-analytics-architecture.md)
+
+[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
+
+[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
+
+[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
+
+[Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md)
+
+[Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
+

windows/deploy/troubleshoot-upgrade-analytics.md

@@ -0,0 +1,33 @@
+---
+title: Troubleshoot Upgrade Analytics (Windows 10)
+description: Provides troubleshooting information for Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Troubleshoot Upgrade Analytics
+
+If you’re having issues seeing data in Upgrade Analytics after running the Upgrade Analytics Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error. 
+
+If you still don’t see data in Upgrade Analytics, follow these steps:
+
+1.  Download and extract UpgradeAnalytics.zip. Ensure the “Diagnostics” folder is included.
+
+2.  Edit the script as described in [Run the Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script).
+
+3.  Check that isVerboseLogging is set to $true.
+
+4.  Run the script again. Log files will be saved to the directory specified in the script.
+
+5.  Open a support case with Microsoft Support through your regular channel and provide this information.
+
+## Disable Upgrade Analytics
+
+If you want to stop using Upgrade Analytics and stop sending telemetry data to Microsoft, follow these steps:
+
+1.  Unsubscribe from the Upgrade Analytics solution in the OMS portal.
+
+2.  Disable the Customer Experience Improvement Program on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to Security.
+
+3.  Delete the CommercialDataOptin key in *HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection*
+

windows/deploy/upgrade-analytics-architecture.md

@@ -0,0 +1,34 @@
+---
+title: Upgrade Analytics architecture (Windows 10)
+description: Describes Upgrade Analytics architecture.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Upgrade Analytics architecture
+
+Microsoft analyzes system, application, and driver telemetry data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Analytics components work together in a typical installation. 
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE 
+<img src="media/image1.png" width="624" height="401" />
+-->
+
+![Upgrade Analytics architecture](images/upgrade-analytics-architecture.png)
+
+After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Analytics, telemetry data is analyzed by the Upgrade Analytics Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Analytics solution (5) to plan and manage Windows upgrades.
+
+For more information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+
+[Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
+
+[Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+
+[Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](http://go.microsoft.com/fwlink/?LinkID=822965)
+
+##**Related topics**
+
+[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
+
+[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
+
+[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)

windows/deploy/upgrade-analytics-deploy-windows.md

@@ -0,0 +1,26 @@
+---
+title: Upgrade Analytics - Get a list of computers that are upgrade-ready (Windows 10)
+description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Upgrade Analytics - Get a list of computers that are upgrade ready
+
+All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready.
+
+The blades in the **Deploy** section are:
+
+## Deploy eligible computers
+
+Computers grouped by deployment decision are listed.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image9.png" width="195" height="316" />
+-->
+
+![Deploy eligible computers](images/upgrade-analytics-deploy-eligible.png)
+
+Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers.
+
+>**Important**<br> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.

windows/deploy/upgrade-analytics-get-started.md

@@ -0,0 +1,161 @@
+---
+title: Get started with Upgrade Analytics (Windows 10)
+description: Explains how to get started with Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Get started with Upgrade Analytics
+
+Use Upgrade Analytics to plan and manage your upgrade project end to end. After you’ve established communications between user computers and Microsoft, Upgrade Analytics collects computer, application, and driver data for analysis. We use this data to identify compatibility issues that can block your upgrade and suggest fixes that are known to Microsoft.
+
+For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+
+- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
+
+- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+
+- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](http://go.microsoft.com/fwlink/?LinkID=822965)
+
+
+This topic explains how to obtain and set up Upgrade Analytics components. If you haven’t done so already, see [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements) for information about requirements for using Upgrade Analytics.
+
+To configure Upgrade Analytics, you’ll need to:
+
+-   Add the Upgrade Analytics solution to a workspace in the Operations Management Suite portal
+
+-   Establish communications and enable data sharing between your organization and Microsoft
+
+Each task is explained in detail in the following sections.
+
+
+## Add Upgrade Analytics to Operations Management Suite
+
+Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
+
+If you are already using OMS, you’ll find Upgrade Analytics in the Solutions Gallery. Select the **Upgrade Analytics** tile in the gallery and then click **Add** on the solution's details page. Upgrade Analytics is now visible in your workspace.
+
+If you are not using OMS:
+
+1.  Go to the [Upgrade Analytics website](http://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
+
+2.  Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+
+3.  Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
+
+4.  If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
+
+    > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
+
+1.  To add the Upgrade Analytics solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Analytics** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Analytics.
+
+2.  Click the **Upgrade Analytics** tile to configure the solution. The **Settings Dashboard** opens.
+
+## Enable data sharing between your organization and Upgrade Analytics
+
+After you’ve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, complete the following tasks to establish communication and enable data sharing between user computers, Microsoft secure data centers, and Upgrade Analytics.
+
+## Generate your commercial ID key 
+
+Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. Generate your commercial ID key in OMS and then deploy it to user computers.
+
+1.  On the Settings Dashboard, navigate to the **Windows telemetry** panel.
+
+    ![upgrade-analytics-telemetry](images/upgrade-analytics-telemetry.png)
+
+2. On the Windows telemetry panel, copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Analytics deployment script later so it can be deployed to user computers.
+
+    >**Important**<br> Regenerate a commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again.
+
+## Subscribe to Upgrade Analytics
+
+For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, subscribe your OMS workspace to Upgrade Analytics.
+
+1.  On the **Windows telemetry** panel, click **Subscribe**. The button changes to **Unsubscribe**. Unsubscribe from the Upgrade Analytics solution if you no longer want to receive upgrade-readiness information from Microsoft. Note that user computer data will continue to be shared with Microsoft for as long as the opt-in keys are set on user computers and the proxy allows the traffic.
+
+1.  Click **Overview** on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Analytics tile now displays summary data. Click the tile to open Upgrade Analytics.
+
+## Whitelist select endpoints
+
+To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
+
+Note: The compatibility update KB runs under the computer’s system account and does not support user authenticated proxies.
+
+| **Endpoint**  | **Function**  |
+|---------------------------------------------------------|-----------|
+| `https://v10.vortex-win.data.microsoft.com/collect/v1`                                                                                                                             | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint.             |
+| `https://settings-win.data.microsoft.com/settings`                                                                                                                                 | Enables the compatibility update KB to send data to Microsoft.                                                                       |
+| `http://go.microsoft.com/fwlink/?LinkID=544713`<br>`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended`                                        | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
+| `https://vortex.data.microsoft.com/health/keepalive` <br>`https://settings.data.microsoft.com/qos` <br>`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | These endpoints are used to validate that user computers are sharing data with Microsoft.                                            |
+
+## Deploy the compatibility update and related KBs
+
+The compatibility update KB scans your computers and enables application usage tracking. If you don’t already have these KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
+
+| **Operating System** | **KBs** |
+|----------------------|-----------------------------------------------------------------------------|
+| Windows 8.1          | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2976978><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513.   |
+| Windows 7 SP1        | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513. |
+
+IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
+
+### Automate data collection
+
+To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
+
+-   Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
+
+-   Schedule the Upgrade Analytics deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. Computers are re-scanned only when the compatibility KBs are updated, so if your inventory changes significantly between KB releases you won’t see the changes in Upgrade Analytics until you run the script again.
+
+-   Schedule monthly user computer scans to view monthly active computer and usage information.
+
+## Run the Upgrade Analytics deployment script
+
+To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the Upgrade Analytics deployment script, developed by Microsoft.
+
+The Upgrade Analytics deployment script does the following:
+
+1.  Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
+
+2.  Verifies that user computers can send data to Microsoft.
+
+3.  Checks whether the computer has a pending restart.  
+
+4.  Verifies that the latest version of KB package 10.0.x is installed (requires 10.0.14348 or subsequent releases).
+
+5.  If enabled, turns on verbose mode for troubleshooting.
+
+6.  Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
+
+7.  If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
+
+To run the Upgrade Analytics deployment script:
+
+1.  Download the [Upgrade Analytics deployment script](http://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. The files in the Diagnostics folder are necessary only if you plan to run the script in troubleshooting mode.
+
+2.  Edit the following parameters in RunConfig.bat:
+
+    1.  Provide a storage location for log information. Example: %SystemDrive%\\UADiagnostics
+
+    2.  You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory.
+
+    3.  Input your commercial ID key.
+
+    4.  By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
+
+        > *logMode = 0 log to console only*
+>
+        > *logMode = 1 log to file and console*
+>
+        > *logMode = 2 log to file only*
+
+3.  For troubleshooting, set isVerboseLogging to $true to generate log information that can help with diagnosing issues. By default, isVerboseLogging is set to $false. Ensure the Diagnostics folder is installed in the same directory as the script to use this mode.
+
+4.  Notify users if they need to restart their computers. By default, this is set to off.
+
+5.  After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
+
+## Seeing data from computers in Upgrade Analytics
+
+After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Analytics. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Analytics. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.
+

windows/deploy/upgrade-analytics-prepare-your-environment.md

@@ -0,0 +1,116 @@
+---
+title: Upgrade Analytics - Prepare your environment (Windows 10)
+description: Describes how to prepare your environment so that you can use Upgrade Analytics to manage Windows upgrades.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Upgrade Analytics - Prepare your environment
+
+This section of the Upgrade Analytics workflow reports your computer and application inventory and lists computers that you can use in a pilot with no known issues or with fixable driver issues. Additionally, you can determine the priority level of applications to indicate which applications the team should focus on to get them upgrade ready.
+
+The blades in the **Prepare your environment** section are:
+
+## Upgrade overview
+
+Displays the total count of computers sharing data with Microsoft and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
+
+Check this blade for data refresh status, including the date and time of the most recent data update and whether user changes are reflected. If a user change is pending when changing the upgrade assessment or importance level of an application or driver, **Data refresh pending** is displayed in orange. User changes are processed once every 24 hours and read **Up to date** in green when there are no pending changes.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image3.png" width="214" height="345" />
+-->
+
+![Upgrade overview](images/upgrade-analytics-overview.png)
+
+Select **Total computers** for a list of computers and details about them, including:
+
+-   Computer ID and computer name
+
+-   Computer manufacturer
+
+-   Computer model
+
+-   Operating system version and build
+
+-   Count of system requirement, application, and driver issues per computer
+
+-   Upgrade assessment based on analysis of computer telemetry data
+
+-   Upgrade decision status
+
+Select **Total applications** for a list of applications discovered on user computers and details about them, including:
+
+-   Application vendor
+
+-   Application version
+
+-   Count of computers the application is installed on
+
+-   Count of computers that opened the application at least once in the past 30 days
+
+-   Percentage of computers in your total computer inventory that opened the application in the past 30 days
+
+-   Issues detected, if any
+
+-   Upgrade assessment based on analysis of application data
+   
+-   Roll up level
+
+## Run a pilot
+
+Computers with no known issues and computers with fixable driver issues are listed, grouped by upgrade assessment. We recommend that you use these computers to test the impact of upgrading.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image4.png" width="203" height="326" />
+-->
+
+![Run a pilot](images/upgrade-analytics-pilot.png)
+
+Before you start your pilot project, be sure to review upgrade assessment and guidance details, explained in more detail in the table below.
+
+| Upgrade assessment    | Action required before or after upgrade pilot? | Issue    | What it means   | Guidance      |
+|-----------------------|------------------------------------------------|----------|-----------------|---------------|
+| No known issues                                 | No                                             | None                                             | Computers will upgrade seamlessly.<br>                                                                                                                                         | OK to use as-is in pilot.                                                                                                                                                                                                                                                                                                                 |
+| OK to pilot, fixed during upgrade               | No, for awareness only                         | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot.                                                                                                                                                                                                                                                                                                                 |
+| OK to pilot with new driver from Windows Update | Yes                                            | Driver will not migrate to new OS                | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update.                    | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update. <br><br>If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading. <br> <br> |
+
+Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file.
+
+>**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
+
+See [Plan for Windows 10 deployment](http://technet.microsoft.com/itpro/windows/plan/index) for more information about ways to deploy Windows in your organization. Read about [how Microsoft IT deployed Windows as an in-place upgrade](https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade) for best practices using the in-place upgrade method.
+
+## Prioritize applications
+
+Applications are listed, grouped by importance level. Prioritizing your applications allows you to identify the ones that you will focus on preparing for upgrade.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image5.png" width="213" height="345" />
+-->
+
+![Prioritize applications](images/upgrade-analytics-prioritize.png)
+
+Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them.
+
+To change an application’s importance level:
+
+1.  Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level. Select **Table** to view the list in a table.
+
+2.  Select **User changes** to enable user input.
+
+3.  Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list.
+
+4.  Click **Save** when finished.
+
+Importance levels include:
+
+| Importance level   | When to use it   | Recommendation   |
+|--------------------|------------------|------------------|
+| Low install count  | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]<br><br>Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.<br> | Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. <br><br>                                                                                                                                                                                                 |
+| Not reviewed       | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you change the importance level.<br><br>These applications are also marked as **Not reviewed** in the **UpgradeDecision** column. <br>                                                                                                                                              | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.                                                                                                                                                                      |
+| Business critical  | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**. <br><br>                                                                                                                                                                    | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**. <br> |
+| Important          | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**.                                                                                                                                                                          | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**. <br>         |
+| Ignore             | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**. <br>                                  | Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing.<br><br>You may also want to change the application’s status to **Not reviewed** or **Ready to upgrade** in the **UpgradeDecision** column. <br>                                                                           |
+| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.<br>                                                                                                                                                                                 | As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.<br><br>Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**. <br>                                               |
+

windows/deploy/upgrade-analytics-release-notes.md

@@ -0,0 +1,5 @@
+---
+title: Upgrade Analytics release notes (Windows 10)
+description: Provides tips and limitations about Upgrade Analytics.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements
+---

windows/deploy/upgrade-analytics-requirements.md

@@ -0,0 +1,88 @@
+---
+title: Upgrade Analytics requirements (Windows 10)
+description: Provides requirements for Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Upgrade Analytics requirements
+
+This article introduces concepts and steps needed to get up and running with Upgrade Analytics. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Analytics.
+
+## Supported upgrade paths 
+
+To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows telemetry, Upgrade Analytics performs a full inventory of computers so that you can see which version of Windows is installed on each computer.
+
+The compatibility update KB that sends telemetry data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Analytics cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
+
+<!--With Windows 10, edition 1607, the compatibility update KB is installed automatically.-->
+
+If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
+
+Note: Upgrade Analytics is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Analytics insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance.
+
+See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements.
+
+## Operations Management Suite
+
+Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+
+If you’re already using OMS, you’ll find Upgrade Analytics in the Solutions Gallery. Click the Upgrade Analytics tile in the gallery and then click Add on the solution’s details page. Upgrade Analytics is now visible in your workspace.
+
+If you are not using OMS, go to \[link to new Upgrade Analytics Web page on Microsoft.com\] and select **Upgrade Analytics Service** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Analytics solution to it.
+
+Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+
+## Telemetry and data sharing 
+
+After you’ve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Analytics.
+
+See \[link to Steve May’s PDF doc when it’s published\] for more information about what user computer data Upgrade Analytics collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
+
+**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
+
+`https://v10.vortex-win.data.microsoft.com/collect/v1`
+
+`https://settings-win.data.microsoft.com/settings`
+
+`https://vortex.data.microsoft.com/health/keepalive`
+
+`https://settings.data.microsoft.com/qos`
+
+`http://go.microsoft.com/fwlink/?LinkID=544713`
+
+`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended`
+
+>**Note** The compatibility update KB runs under the computer’s system account and does not support user authentication in this release.
+
+**Generate your commercial ID key.** Microsoft uses a unique commercial ID GUID to map data from your computers to your OMS workspace. You’ll need to generate your commercial ID key in OMS. We recommend that you save your commercial ID key as you’ll need it later.
+
+**Subscribe your OMS workspace to Upgrade Analytics.** For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, you’ll need to subscribe your OMS workspace to Upgrade Analytics.
+
+**Enable telemetry and connect data sources.** To allow Upgrade Analytics to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Analytics and user computers. You’ll need to connect Upgrade Analytics to your data sources and enable telemetry to establish communication.
+
+**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you don’t already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
+
+>**Important**<br> The compatibility update and related KBs are updated frequently to include new compatibility issues as they become known to Microsoft. We recommend that you use a deployment system that allows for automatic updates of these KBs. The compatibility update KB collects inventory information from computers only when it is updated. 
+
+**Configure and deploy Upgrade Analytics deployment script.** Configure and deploy the Upgrade Analytics deployment script to user computers to finish setting up.
+
+## Important information about this release
+
+Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
+
+**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
+
+**Upgrade Analytics does not support on-premise Windows deployments.** Upgrade Analytics is built as a cloud service, which allows Upgrade Analytics to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premise.
+
+**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Analytics solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
+
+### Tips
+
+- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items.
+
+- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in OMS, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby).
+
+## Get started
+
+See [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Analytics and getting started on your Windows upgrade project.

windows/deploy/upgrade-analytics-resolve-issues.md

@@ -0,0 +1,122 @@
+---
+title: Upgrade Analytics - Resolve application and driver issues (Windows 10)
+description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Analytics.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Upgrade Analytics - Resolve application and driver issues
+
+This section of the Upgrade Analytics workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them.
+
+You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
+
+Upgrade decisions include:
+
+| Upgrade decision   | When to use it    | Guidance    |
+|--------------------|-------------------|-------------|
+| Not reviewed       | When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress.** <br><br> <br>                                                                                                                                                                                      | Some applications are automatically assigned upgrade decisions based on information known to Microsoft. <br><br>All drivers are marked not reviewed by default.<br><br>                                                                                                                                                                                           |
+| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.<br><br>Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**. <br><br> | Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**. <br>                                                                                                                                                                                                          |
+| Ready to upgrade   | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is.                                                                                                                                                          | Applications with no known issues or with low installation rates are marked **Ready to upgrade** by default.<br><br>Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. <br><br>All drivers are marked **Not reviewed** by default. <br> |
+| Won’t upgrade      | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination. <br><br>Use **Won’t upgrade** for computers you don’t want to upgrade. <br>                                                                                                                                                        | If, during your investigation into an application or driver, you determine that they should not be upgraded, mark them **Won’t upgrade**. <br><br>                                                                                                                                                                                                                    |
+
+The blades in the **Resolve issues** section are:
+
+## Review applications with known issues
+
+Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image6.png" width="192" height="321" />
+-->
+
+![Review applications with known issues](images/upgrade-analytics-apps-known-issues.png)
+
+To change an application's upgrade decision:
+
+1. Select **Decide upgrade readiness** to view applications with issues. 
+
+2. In the table view, sort on **UpgradeAssessment** to group applications into **Attention needed** and **Fix available**. 
+
+3. Select **User changes** to change the upgrade decision for each application.
+
+4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
+
+5. Click **Save** when finished.  
+
+IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
+
+For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible.
+
+| Upgrade Assessment | Action required prior to upgrade? | Issue     | What it means   | Guidance   |
+|--------------------|-----------------------------------|-----------|-----------------|------------|
+| Attention needed   | No                                | Application is removed during upgrade              | Compatibility issues were detected and the application will not migrate to the new operating system. <br>                                                                                                                                             | No action is required for the upgrade to proceed.                                                                                                                                                                                                                                                                                                                                         |
+| Attention needed   | Yes                               | Blocking upgrade                                   | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade. <br><br>The application may work on the new operating system.<br>                                                                       | Remove the application before upgrading, and reinstall and test on new operating system.                                                                                                                                                                                                                                                                                                  |
+| Attention needed   | No                                | Evaluate application on new OS                     | The application will migrate, but issues were detected that may impact its performance on the new operating system.                                                                                                                                     | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.<br>                                                                                                                                                                                                                                                                  |
+| Attention needed   | No                                | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade.                                                                                                                                                           | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.<br>                                                                                                                                                                                                                              |
+| Attention needed   | Yes                               | Does not work with new OS, and will block upgrade  | The application is not compatible with the new operating system and will block the upgrade.                                                                                                                                                             | Remove the application before upgrading. <br><br>A compatible version of the application may be available.<br>                                                                                                                                                                                                                                                                      |
+| Attention needed   | Yes                               | May block upgrade, test application                | Issues were detected that may interfere with the upgrade, but need to be investigated further.<br>                                                                                                                                                    | Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.<br>                                                                                                                                                                                                                         |
+| Attention needed   | Maybe                             | Multiple                                           | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. |
+
+For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft.
+
+| Upgrade Assessment | Action required prior to upgrade? | Issue    | What it means   | Guidance    |
+|--------------------|-----------------------------------|----------|-----------------|-------------|
+| Fix available      | Yes                               | Blocking upgrade, update application to newest version   | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available.   | Update the application before upgrading.                                                             |
+| Fix available      | No                                | Reinstall application after upgrading                    | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.<br> | No action is required for the upgrade to proceed. Reinstall application on the new operating system. |
+| Fix available      | Yes                               | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate.                                                                                    | Remove the application before upgrading and reinstall on the new operating system.<br>             |
+| Fix available      | Yes                               | Disk encryption blocking upgrade                         | The application’s encryption features are blocking the upgrade.                                                                                                    | Disable the encryption feature before upgrading and enable it again after upgrading.<br>           |
+
+## Review applications with no known issues
+
+Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image7.png" width="197" height="336" />
+-->
+
+![Review applications with no known issues](images/upgrade-analytics-apps-no-known-issues.png)
+
+Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
+
+Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates. 
+
+To change an application's upgrade decision:
+
+1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table. 
+
+2. Select **User changes** to change the upgrade decision for each application.
+
+3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
+
+4. Click **Save** when finished.  
+
+## Review drivers with known issues
+
+Drivers that won’t migrate to the new operating system are listed, grouped by availability.
+
+<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
+<img src="media/image8.png" width="197" height="316" />
+-->
+
+![Review drivers with known issues](images/upgrade-analytics-drivers-known.png)
+
+Availability categories are explained in the table below.
+
+| Driver availability   | Action required before or after upgrade? | What it means  | Guidance     |
+|-----------------------|------------------------------------------|----------------|--------------|
+| Available in-box                         | No, for awareness only                   | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.<br>                         | No action is required for the upgrade to proceed.                                                                                                                     |
+| Import from Windows Update               | Yes                                      | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.<br>                                                   | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading. <br> |
+| Available in-box and from Windows Update | Yes                                      | The currently installed version of a driver won’t migrate to the new operating system. <br><br>Although a new driver is installed during upgrade, a newer version is available from Windows Update. <br> | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading. <br> |
+| Check with vendor                        | Yes                                      | The driver won’t migrate to the new operating system and we are unable to locate a compatible version. <br>                                                                                                  | Check with the independent hardware vendor (IHV) who manufactures the driver for a solution.                                                                          |
+
+To change a driver’s upgrade decision:
+
+1.  Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table.
+
+2.  Select **User changes** to enable user input.
+
+3.  Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list.
+
+4.  Click **Save** when finished.
+

windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md

@@ -0,0 +1,26 @@
+---
+title: Use Upgrade Analytics to manage Windows upgrades (Windows 10)
+description: Describes how to use Upgrade Analytics to manage Windows upgrades.
+ms.prod: w10
+author: MaggiePucciEvans
+---
+
+# Use Upgrade Analytics to manage Windows upgrades
+
+This topic explains how to use the Upgrade Analytics solution to plan, manage, and deploy Windows upgrades.
+
+Based on telemetry data from user computers, Upgrade Analytics identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
+
+You and your IT team can use the Upgrade Analytics workflow to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. You can then export the list of upgrade-ready computers and start deploying Windows with confidence, knowing that you’ve addressed potential blocking issues.
+
+Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
+
+The Upgrade Analytics workflow gives you compatibility and usage information about computers, applications, and drivers and walks you through these high-level tasks. Each task is described in more detail in the topics that follow.
+
+1.  [Preparing your environment](upgrade-analytics-prepare-your-environment.md)
+
+2.  [Resolving application and driver issues](upgrade-analytics-resolve-issues.md)
+
+3.  [Identifying computers that are upgrade ready](upgrade-analytics-deploy-windows.md)
+
+

windows/keep-secure/TOC.md

@@ -1,5 +1,8 @@
 # [Keep Windows 10 secure](index.md)
 ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
+## [Device Guard certification and compliance](device-guard-certification-and-compliance.md)
+### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
+### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
 ## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
 ### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
 ### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
@@ -11,17 +14,8 @@
 ### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 ## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
 ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
-## [Device Guard deployment guide](device-guard-deployment-guide.md)
-### [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
-### [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
-### [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-### [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
-#### [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
-#### [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
-#### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
-#### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
-### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
 ## [Protect derived domain credentials with Credential Guard](credential-guard.md)
+## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
 ## [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)
 ### [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
 #### [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
@@ -31,6 +25,7 @@
 #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
 #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
 ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
+#### [Windows Information Protection (WIP) overview](wip-enterprise-overview.md)
 #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
 #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)
 #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
@@ -827,6 +822,7 @@
 ###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
 ## [Enterprise security guides](windows-10-enterprise-security-guides.md)
 ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+### [Device Guard deployment guide](device-guard-deployment-guide.md)
 ### [Microsoft Passport guide](microsoft-passport-guide.md)
 ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
 ### [Windows 10 security overview](windows-10-security-guide.md)

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -17,7 +17,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: 
 
 - [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-- Remote Credential Guard change to link when ready (remote-credential-guard.md)
+- [Remote Credential Guard](remote-credential-guard.md)
 
 ## July 2016
 

windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md

@@ -28,15 +28,21 @@ For information about enabling Credential Guard, see [Protect derived domain cre
 
 ## Windows feature requirements for virtualization-based security
 
-In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must enable certain operating system features before you can enable VBS: Microsoft Hyper-V and isolated user mode (shown in Figure 1).
+In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must enable certain operating system features before you can enable VBS:
+
+- With Windows 10, version 1607 or Windows Server 2016:<br> 
+Hyper-V Hypervisor  (shown in Figure 1).
+
+- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br> 
+Hyper-V Hypervisor and Isolated User Mode (not shown).
 
 > **Note**&nbsp;&nbsp;You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, see [Protect derived domain credentials with Credential Guard](credential-guard.md).
  
 ![Turn Windows features on or off](images/dg-fig1-enableos.png)
 
-Figure 1. Enable operating system features for VBS
+Figure 1. Enable operating system feature for VBS
 
-After you enable these features, you can configure any additional hardware-based security features you want. The following sections provide more information:
+After you enable the feature or features, you can configure any additional hardware-based security features you want. The following sections provide more information:
 - [Enable Unified Extensible Firmware Interface Secure Boot](#enable-unified-extensible-firmware-interface-secure-boot)
 - [Enable virtualization-based security for kernel-mode code integrity](#enable-virtualization-based-security-for-kernel-mode-code-integrity)
 
@@ -44,7 +50,7 @@ After you enable these features, you can configure any additional hardware-based
 
 Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10.
 
-> **Note**&nbsp;&nbsp;There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled.
+> **Note**&nbsp;&nbsp;There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled. For more information about how IOMMUs help protect against DMA attacks, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
 
 1.  Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
 
@@ -52,9 +58,9 @@ Before you begin this process, verify that the target device meets the hardware
 
 3.  Set the **RequirePlatformSecurityFeatures DWORD** value as appropriate:
 
-    -   Set this value to **1** to enable the **Secure Boot** option.
-
-    -   Set this value to **2** to enable the **Secure Boot with DMA Protection** option.
+    | **With Windows 10, version 1607, <br>or Windows Server 2016** | **With an earlier version of Windows 10, <br>or Windows Server 2016 Technical Preview 5 or earlier** |
+    | ---------------- | ---------------- |
+    | **1** enables the **Secure Boot** option<br>**3** enables the **Secure Boot and DMA protection** option | **1** enables the **Secure Boot** option<br>**2** enables the **Secure Boot and DMA protection** option |
 
 4.  Restart the client computer.
 
@@ -80,11 +86,11 @@ Unfortunately, it would be time consuming to perform these steps manually on eve
 
     Figure 6. Enable VBS
 
-5.  Select the **Enabled** option, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.
+5.  Select the **Enabled** button, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.
 
     ![Group Policy, Turn On Virtualization Based Security](images/device-guard-gp.png)
 
-    Figure 7. Enable Secure Boot
+    Figure 7. Enable Secure Boot (in Windows 10, version 1607)
 
     > **Note**&nbsp;&nbsp;Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the **Secure Boot and DMA Protection** platform security level. If your hardware does not contain IOMMUs, there are several mitigations provided by leveraging Secure Boot without DMA Protection.
 
@@ -102,7 +108,11 @@ Before you begin this process, verify that the desired computer meets the hardwa
 
 **To configure virtualization-based protection of KMCI manually:**
 
-1.  Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
+1.  Navigate to the appropriate registry subkey: 
+
+    - With Windows 10, version 1607, or Windows Server 2016:<br>**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios**
+    
+    - With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard**
 
 2.  Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**.
 
@@ -130,11 +140,15 @@ It would be time consuming to perform these steps manually on every protected co
 
     Figure 3. Enable VBS
 
-5.  Select the **Enabled** option, and then select the **Enable Virtualization Based Protection of Code Integrity** check box.
+5.  Select the **Enabled** button, and then for **Virtualization Based Protection of Code Integrity**, select the appropriate option:
+
+    - With Windows 10, version 1607 or Windows Server 2016, choose an enabled option:<br>For an initial deployment or test deployment, we recommend **Enabled without UEFI lock**.<br>When your deployment is stable in your environment, we recommend changing to **Enabled with UEFI lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
+
+    - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>Select the **Enable Virtualization Based Protection of Code Integrity** check box.
 
     ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png)
 
-    Figure 4. Enable VBS of KMCI
+    Figure 4. Enable VBS of KMCI (in Windows 10, version 1607)
 
 6.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart.
 
@@ -176,7 +190,12 @@ Table 1. Win32\_DeviceGuard properties
 <li><p><strong>1.</strong> If present, hypervisor support is available.</p></li>
 <li><p><strong>2.</strong> If present, Secure Boot is available.</p></li>
 <li><p><strong>3.</strong> If present, DMA protection is available.</p></li>
-</ul></td>
+<li><p><strong>4.</strong> If present, Secure Memory Overwrite is available.</p></li>
+<li><p><strong>5.</strong> If present, NX protections are available.</p></li>
+<li><p><strong>6.</strong> If present, SMM mitigations are available.</p></li>
+</ul>
+<p><strong>Note</strong>: 4, 5, and 6 were added as of Windows 10, version 1607.</p>
+</td>
 </tr>
 <tr class="even">
 <td align="left"><strong>InstanceIdentifier</strong></td>
@@ -188,10 +207,15 @@ Table 1. Win32\_DeviceGuard properties
 <td align="left">This field describes the required security properties to enable virtualization-based security.</td>
 <td align="left"><ul>
 <li><p><strong>0.</strong> Nothing is required.</p></li>
-<li><p><strong>1.</strong> If present, Secure Boot is needed.</p></li>
-<li><p><strong>2.</strong> If present, DMA protection is needed.</p></li>
-<li><p><strong>3.</strong> If present, both Secure Boot and DMA protection are needed.</p></li>
-</ul></td>
+<li><p><strong>1.</strong> If present, hypervisor support is needed.</p></li>
+<li><p><strong>2.</strong> If present, Secure Boot is needed.</p></li>
+<li><p><strong>3.</strong> If present, DMA protection is needed.</p></li>
+<li><p><strong>4.</strong> If present, Secure Memory Overwrite is needed.</p></li>
+<li><p><strong>5.</strong> If present, NX protections are needed.</p></li>
+<li><p><strong>6.</strong> If present, SMM mitigations are needed.</p></li>
+</ul>
+<p><strong>Note</strong>: 4, 5, and 6 were added as of Windows 10, version 1607.</p>
+</td>
 </tr>
 <tr class="even">
 <td align="left"><strong>SecurityServicesConfigured</strong></td>

windows/keep-secure/index.md

@@ -21,8 +21,8 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 | [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
 | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
 | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
-| [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
 | [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
+| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
 | [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
 | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
 | [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
@@ -30,7 +30,6 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
 | [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
 | [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
 | [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
-
  
 ## Related topics
 

windows/keep-secure/microsoft-accounts.md

@@ -98,7 +98,7 @@ Although the Microsoft account was designed to serve consumers, you might find s
 
 -   **Integrated social media services**:
 
-    Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as SkyDrive, Facebook, and Flickr.
+    Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr.
 
 ### Managing the Microsoft account in the domain
 

windows/keep-secure/remote-credential-guard.md

@@ -0,0 +1,103 @@
+---
+title: Protect Remote Desktop credentials with Remote Credential Guard (Windows 10)
+description: Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+#  Protect Remote Desktop credentials with Remote Credential Guard
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+Introduced in Windows 10, version 1607, Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.
+
+You can use Remote Credential Guard in the following ways:
+
+- Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device.
+
+- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.
+
+Use the following diagrams to help understand how Remote Credential Guard works and what it helps protect against.
+
+![Remote Credential Guard](images/remote-credential-guard.png)
+
+## Hardware and software requirements
+
+The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard:
+
+- They must be joined to an Active Directory domain
+    - Both devices must either joined to the same domain or the Remote Desktop server must be joined to a domain with a trust relationship to the client device's domain.
+- They must use Kerberos authentication.
+- They must be running at least Windows 10, version 1607 or Windows Server 2016.
+- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
+
+
+## Enable Remote Credential Guard
+
+You must enable Remote Credential Guard on the target device by using the registry.
+
+1. Open Registry Editor.
+2. Enable Remote Credential Guard:
+    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
+    - Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Remote Credential Guard.
+3. Close Registry Editor.
+
+You can add this by running the following from an elevated command prompt:
+
+```
+reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
+```
+
+## Using Remote Credential Guard
+
+You can use Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection. 
+
+### Turn on Remote Credential Guard by using Group Policy
+
+1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
+2. Double-click **Restrict delegation of credentials to remote servers**.
+3. In the **Use the following restricted mode** box:
+    - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Require Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
+
+        > **Note:**  Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
+        
+    - If you want to allow Remote Credential Guard, choose **Prefer Remote Credential Guard**.
+4. Click **OK**.
+
+    ![Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
+
+5. Close the Group Policy Management Console.
+
+6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
+
+
+### Use Remote Credential Guard with a parameter to Remote Desktop Connection 
+
+If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection.
+
+```
+mstsc.exe /remoteGuard
+```
+
+
+## Considerations when using Remote Credential Guard
+
+- Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied.
+
+- Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory.
+
+- Remote Desktop Credential Guard only works with the RDP protocol.
+
+- No credentials are sent to the target device, but the target device still acquires the Kerberos Service Tickets on its own.
+
+- Remote Desktop Gateway is not compatible with Remote Credential Guard.
+
+- You cannot used saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device.
+
+- Both the client and the server must be joined to the same domain or the domains must have a trust relationship.
+
+- The server and client must authenticate using Kerberos.

windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md

@@ -55,7 +55,7 @@ The following tables provide more information about the hardware, firmware, and
 
 The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
 
-### 2015 Additional Qualification Requirements for Device Guard (Windows 10, version 1507 and Windows 10, version 1511)
+### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
 
 | Protections for Improved Security - requirement         | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
@@ -63,7 +63,7 @@ The following tables describes additional hardware and firmware requirements, an
 
 <br>
 
-### 2016 Additional Qualification Requirements for Device Guard (Windows 10, version 1607)
+### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016)
 
 > **Important**&nbsp;&nbsp;The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
 

windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md

@@ -74,7 +74,7 @@ Event ID | Error Type | Resolution steps
 10 | Onboarding data couldn't be written to registry |  Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```. Verify that the script was ran as an administrator.
 15 |  Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). 
 30 |  The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
-35 |  The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer].(event-error-codes-windows-defender-advanced-threat-protection.md). 
+35 |  The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 
 40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 
 
 <br>

windows/keep-secure/windows-10-security-guide.md

@@ -634,7 +634,7 @@ With Protected Processes, Windows 10 prevents untrusted processes from interact
 
 ## Secure the Windows desktop
 
-Windows 10 includes critical improvements to the Windows core and the desktop environment, where attacks and malware most frequently enter. The desktop environment is now more resistant to malware thanks to significant improvements to Windows Defender and SmartScreen Filters. Internet browsing is a safer experience because of Microsoft Edge, a completely new browser. The Windows Store reduces the likelihood that malware will infect devices by ensuring that all applications that enter the Windows Store ecosystem have been thoroughly reviewed before being made available. Universal Windows applications are inherently more secure than typical applications because they are sandboxed. Sandboxing restricts the application’s risk of being compromised or tampered with in a way that would put the system, data, and other applications at risk.
+Windows 10 includes critical improvements to the Windows core and the desktop environment, where attacks and malware most frequently enter. The desktop environment is now more resistant to malware thanks to significant improvements to Windows Defender and SmartScreen Filters. Internet browsing is a safer experience because of Microsoft Edge, a completely new browser. The Windows Store reduces the likelihood that malware will infect devices by ensuring that all applications that enter the Windows Store ecosystem have been thoroughly reviewed before being made available. Universal Windows apps are inherently more secure than typical applications because they are sandboxed. Sandboxing restricts the application’s risk of being compromised or tampered with in a way that would put the system, data, and other applications at risk.
 The sections that follow describe Windows 10 improvements to application security in more detail.
 
 **Microsoft Edge and Internet Explorer 11**

windows/keep-secure/wip-enterprise-overview.md

@@ -0,0 +1,77 @@
+---
+title: Windows Information Protection overview (Windows 10)
+description: Conceptual info about Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP).
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Windows Information Protection (WIP) overview
+
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+
+Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
+
+
+## Benefits of WIP
+
+WIP provides:
+- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
+
+- Additional data protection for existing line-of-business apps without a need to update the apps.
+
+- Ability to wipe corporate data from devices while leaving personal data alone.
+
+- Use of audit reports for tracking issues and remedial actions.
+
+- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager 2016, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company.
+
+## Enterprise scenarios
+WIP currently addresses these enterprise scenarios:
+- You can encrypt enterprise data on employee-owned and corporate-owned devices.
+
+- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
+
+- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
+
+- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
+
+## Why use WIP?
+WIP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
+
+- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+
+- **Manage your enterprise documents, apps, and encryption modes.**
+
+    - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an WIP-protected device, WIP encrypts the data on the device.
+
+    - **Using allowed apps.** Managed apps (apps that you've included on the allowed apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+
+    - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your WIP management-mode.
+    
+    You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in your protected apps list.
+
+    - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list.
+
+    - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
+    
+    Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
+
+    - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+
+    - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+
+    - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
+
+## Turn off WIP
+
+You can turn off all Windows Information Protection and restrictions, reverting to where you were pre-WIP, with no data loss. However, turning off WIP isn't recommended. If you choose to turn it off, you can always turn it back on, but WIP won't retain your decryption and policies info.
+
+## Related topics
+- [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-EDP.md)

windows/manage/TOC.md

@@ -3,6 +3,7 @@
 ## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
 ## [Manage corporate devices](manage-corporate-devices.md)
 ### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
+### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
 ### [New policies for Windows 10](new-policies-for-windows-10.md)
 ### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
 ### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)

windows/manage/change-history-for-manage-and-update-windows-10.md

@@ -26,6 +26,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 
 | New or changed topic | Description |
 | ---|---|
+| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | New |
 | [Windows 10 servicing options](introduction-to-windows-10-servicing.md)  | Added detailed content on servicing branches, moved from [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). |
 
 

windows/manage/configure-windows-telemetry-in-your-organization.md

@@ -94,10 +94,10 @@ Windows telemetry also helps Microsoft better understand how customers use (or d
 
 **These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
 
-<!--
+
 ### Insights into your own organization
 
-Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well.  Microsoft is in the process of developing a set of analytics customized for your internal use.  The first of these, called Windows 10 Upgrade Analytics, will be available in Summer 2016.
+Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well.  Microsoft is in the process of developing a set of analytics customized for your internal use.  The first of these, called [Windows 10 Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md).
 
 #### Windows 10 Upgrade Analytics
 
@@ -119,7 +119,6 @@ Use Upgrade Analytics to get:
 
 The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
 
--->
 ## How is telemetry data handled by Microsoft?
 
 ### Data collection
@@ -180,7 +179,8 @@ The levels are cumulative and are illustrated in the following diagram. Also, th
 
 The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions.
 
-> **Note:**  If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
+> [!NOTE]  
+> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
 
 Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
 
@@ -192,14 +192,15 @@ The data gathered at this level includes:
 
 -   **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
 
-    >**Note:**  You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+    > [!NOTE]  
+    > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
 
      
 
 -   **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
 
-    **Note**  
-    This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
+    > [!NOTE]  
+    > This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
 
     Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
 
@@ -300,7 +301,8 @@ IT pros can use various methods, including Group Policy and Mobile Device Manage
 
 We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
 
->**Important:**  These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
+> [!IMPORTANT]  
+> These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
 
 You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
 
@@ -368,7 +370,8 @@ There are a few more settings that you can turn off that may send telemetry info
 
 -   Turn off **Linguistic Data Collection** in **Settings** &gt; **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
 
-    >**Note:**  Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
+    > [!NOTE]  
+    > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
 
 ## Additional resources
 

windows/manage/connect-to-remote-aadj-pc.md

@@ -24,7 +24,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
 ## Set up
 
 - Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
-- Ensure [Remote Credential Guard](../keep-secure/remote-credential-guardmd), a new feature in Windows 10, version 1607, is turned off on the client PC.
+- Ensure [Remote Credential Guard](../keep-secure/remote-credential-guard.md), a new feature in Windows 10, version 1607, is turned off on the client PC.
 - On the PC that you want to connect to:
   1. Open system properties for the remote PC. 
   2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. 

windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -22,9 +22,9 @@ Learn about the network connections that Windows components make to Microsoft an
 
 If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
 
-Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
+Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, Windows 10, version 1507, and Windows 10, version 1511. However, you must use Windows 10 Enterprise, version 1607 or Windows 10 Education, version 1607 to manage them all.
 
-In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
 
 We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
 
@@ -32,224 +32,164 @@ Here's what's covered in this article:
 
 -   [Info management settings](#bkmk-othersettings)
 
-    -   [1. Cortana](#bkmk-cortana)
+    -   [1. Certificate trust lists](#certificate-trust-lists)
 
-        -   [1.1 Cortana Group Policies](#bkmk-cortana-gp)
+    -   [2. Cortana](#bkmk-cortana)
 
-        -   [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
+        -   [2.1 Cortana Group Policies](#bkmk-cortana-gp)
 
-        -   [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
+        -   [2.2 Cortana MDM policies](#bkmk-cortana-mdm)
 
-    -   [2. Date & Time](#bkmk-datetime)
+        -   [2.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
 
-    -   [3. Device metadata retrieval](#bkmk-devinst)
+    -   [3. Date & Time](#bkmk-datetime)
 
-    -   [4. Font streaming](#font-streaming)
+    -   [4. Device metadata retrieval](#bkmk-devinst)
 
-    -   [5. Insider Preview builds](#bkmk-previewbuilds)
+    -   [5. Font streaming](#font-streaming)
 
-    -   [6. Internet Explorer](#bkmk-ie)
+    -   [6. Insider Preview builds](#bkmk-previewbuilds)
 
-        -   [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
+    -   [7. Internet Explorer](#bkmk-ie)
 
-        -   [6.2 ActiveX control blocking](#bkmk-ie-activex)
+        -   [7.1 Internet Explorer Group Policies](#bkmk-ie-gp)
 
-    -   [7. Live Tiles](#live-tiles)
+        -   [7.2 ActiveX control blocking](#bkmk-ie-activex)
+
+    -   [8. Live Tiles](#live-tiles)
     
-    -   [8. Mail synchronization](#bkmk-mailsync)
+    -   [9. Mail synchronization](#bkmk-mailsync)
 
-    -   [9. Microsoft Edge](#bkmk-edge)
+    -   [10. Microsoft Edge](#bkmk-edge)
 
-        -   [9.1 Microsoft Edge Group Policies](#bkmk-edgegp)
+        -   [10.1 Microsoft Edge Group Policies](#bkmk-edgegp)
 
-        -   [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
+        -   [10.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
 
-        -   [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
+        -   [10.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
 
-    -   [10. Network Connection Status Indicator](#bkmk-ncsi)
+    -   [11. Network Connection Status Indicator](#bkmk-ncsi)
 
-    -   [11. Offline maps](#bkmk-offlinemaps)
+    -   [12. Offline maps](#bkmk-offlinemaps)
 
-    -   [12. OneDrive](#bkmk-onedrive)
+    -   [13. OneDrive](#bkmk-onedrive)
 
-    -   [13. Preinstalled apps](#bkmk-preinstalledapps)
+    -   [14. Preinstalled apps](#bkmk-preinstalledapps)
 
-    -   [14. Settings > Privacy](#bkmk-settingssection)
+    -   [15. Settings > Privacy](#bkmk-settingssection)
 
-        -   [14.1 General](#bkmk-priv-general)
+        -   [15.1 General](#bkmk-priv-general)
 
-        -   [14.2 Location](#bkmk-priv-location)
+        -   [15.2 Location](#bkmk-priv-location)
 
-        -   [14.3 Camera](#bkmk-priv-camera)
+        -   [15.3 Camera](#bkmk-priv-camera)
 
-        -   [14.4 Microphone](#bkmk-priv-microphone)
+        -   [15.4 Microphone](#bkmk-priv-microphone)
 
-        -   [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+        -   [15.5 Notifications](#bkmk-priv-notifications)
 
-        -   [14.6 Account info](#bkmk-priv-accounts)
+        -   [15.6 Speech, inking, & typing](#bkmk-priv-speech)
 
-        -   [14.7 Contacts](#bkmk-priv-contacts)
+        -   [15.7 Account info](#bkmk-priv-accounts)
 
-        -   [14.8 Calendar](#bkmk-priv-calendar)
+        -   [15.8 Contacts](#bkmk-priv-contacts)
 
-        -   [14.9 Call history](#bkmk-priv-callhistory)
+        -   [15.9 Calendar](#bkmk-priv-calendar)
 
-        -   [14.10 Email](#bkmk-priv-email)
+        -   [15.10 Call history](#bkmk-priv-callhistory)
 
-        -   [14.11 Messaging](#bkmk-priv-messaging)
+        -   [15.11 Email](#bkmk-priv-email)
 
-        -   [14.12 Radios](#bkmk-priv-radios)
+        -   [15.12 Messaging](#bkmk-priv-messaging)
 
-        -   [14.13 Other devices](#bkmk-priv-other-devices)
+        -   [15.13 Radios](#bkmk-priv-radios)
 
-        -   [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+        -   [15.14 Other devices](#bkmk-priv-other-devices)
 
-        -   [14.15 Background apps](#bkmk-priv-background)
+        -   [15.15 Feedback & diagnostics](#bkmk-priv-feedback)
 
-    -   [15. Software Protection Platform](#bkmk-spp)
+        -   [15.16 Background apps](#bkmk-priv-background)
 
-    -   [16. Sync your settings](#bkmk-syncsettings)
+    -   [16. Software Protection Platform](#bkmk-spp)
 
-    -   [17. Teredo](#bkmk-teredo)
+    -   [17. Sync your settings](#bkmk-syncsettings)
 
-    -   [18. Wi-Fi Sense](#bkmk-wifisense)
+    -   [18. Teredo](#bkmk-teredo)
 
-    -   [19. Windows Defender](#bkmk-defender)
+    -   [19. Wi-Fi Sense](#bkmk-wifisense)
 
-    -   [20. Windows Media Player](#bkmk-wmp)
+    -   [20. Windows Defender](#bkmk-defender)
 
-    -   [21. Windows spotlight](#bkmk-spotlight)
+    -   [21. Windows Media Player](#bkmk-wmp)
 
-    -   [22. Windows Store](#bkmk-windowsstore)
+    -   [22. Windows spotlight](#bkmk-spotlight)
 
-    -   [23. Windows Update Delivery Optimization](#bkmk-updates)
+    -   [23. Windows Store](#bkmk-windowsstore)
 
-        -   [23.1 Settings > Update & security](#bkmk-wudo-ui)
+    -   [24. Windows Update Delivery Optimization](#bkmk-updates)
 
-        -   [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
+        -   [24.1 Settings > Update & security](#bkmk-wudo-ui)
 
-        -   [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
+        -   [24.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
 
-        -   [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
+        -   [24.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
 
-    -   [24. Windows Update](#bkmk-wu)
+        -   [24.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
 
-## What's new in Windows 10, version 1511
+    -   [25. Windows Update](#bkmk-wu)
 
+## What's new in Windows 10, version 1607
 
-Here's a list of changes that were made to this article for Windows 10, version 1511:
+Here's a list of changes that were made to this article for Windows 10, version 1607:
 
--   Added the following new sections:
+- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech).
+- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy.
+- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists).
+- Added a new setting in [25. Windows Update](#bkmk-wu). 
+- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi).
 
-    -   [Mail synchronization](#bkmk-mailsync)
+- Added the following Group Policies:
 
-    -   [Offline maps](#bkmk-offlinemaps)
-
-    -   [Windows spotlight](#bkmk-spotlight)
-
-    -   [Windows Store](#bkmk-windowsstore)
-
--   Added the following Group Policies:
-
-    -   Open a new tab with an empty tab
-
-    -   Configure corporate Home pages
-
-    -   Let Windows apps access location
-
-    -   Let Windows apps access the camera
-
-    -   Let Windows apps access the microphone
-
-    -   Let Windows apps access account information
-
-    -   Let Windows apps access contacts
-
-    -   Let Windows apps access the calendar
-
-    -   Let Windows apps access messaging
-
-    -   Let Windows apps control radios
-
-    -   Let Windows apps access trusted devices
-
-    -   Do not show feedback notifications
-
-    -   Turn off Automatic Download and Update of Map Data
-
-    -   Force a specific default lock screen image
-
--   Added the AllowLinguisticDataCollection MDM policy.
-
--   Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
-
--   Changed the Windows Update section to apply system-wide settings, and not just per user.
+    - Turn off unsolicited network traffic on the Offline Maps settings page
+    - Turn off all Windows spotlight features
 
 ## <a href="" id="bkmk-othersettings"></a>Info management settings
 
 
 This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
 
-The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
-
--   [1. Cortana](#bkmk-cortana)
-
--   [2. Date & Time](#bkmk-datetime)
-
--   [3. Device metadata retrieval](#bkmk-devinst)
-
--   [4. Font streaming](#font-streaming)
-
--   [5. Insider Preview builds](#bkmk-previewbuilds)
-
--   [6. Internet Explorer](#bkmk-ie)
-
--   [7. Live Tiles](#live-tiles)
-
--   [8. Mail synchronization](#bkmk-mailsync)
-
--   [9. Microsoft Edge](#bkmk-edge)
-
--   [10. Network Connection Status Indicator](#bkmk-ncsi)
-
--   [11. Offline maps](#bkmk-offlinemaps)
-
--   [12. OneDrive](#bkmk-onedrive)
-
--   [13. Preinstalled apps](#bkmk-preinstalledapps)
-
--   [14. Settings &gt; Privacy](#bkmk-settingssection)
-
--   [15. Software Protection Platform](#bkmk-spp)
-
--   [16. Sync your settings](#bkmk-syncsettings)
-
--   [17. Teredo](#bkmk-teredo)
-
--   [18. Wi-Fi Sense](#bkmk-wifisense)
-
--   [19. Windows Defender](#bkmk-defender)
-
--   [20. Windows Media Player](#bkmk-wmp)
-
--   [21. Windows spotlight](#bkmk-spotlight)
-
--   [22. Windows Store](#bkmk-windowsstore)
-
--   [23. Windows Update Delivery Optimization](#bkmk-updates)
-
--   [24. Windows Update](#bkmk-wu)
-
+The settings in this section assume you are using Windows 10, version 1607. They will also be included in the next update for the Long Term Servicing Branch.
 
 See the following table for a summary of the management settings. For more info, see its corresponding section.
 
 ![Management settings table](images/settings-table.png)
 
-### <a href="" id="bkmk-cortana"></a>1. Cortana
+
+### <a href="" id="certificate-trust-lists"></a>1. Certificate trust lists
+
+A certificate trust list is a predefined list of items, such as a list of certificate hashes or a list of file name, that are signed by a trusted entity. Windows automatically downloads an updated certificate trust list when it is available.
+
+To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list.
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
+
+    -or-
+
+- Create a REG\_DWORD registry setting called **DisableRootAutoUpdate** in **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate**, with a value of 1.
+
+After that, do the following in a Group Policy:
+
+1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**.
+2. Double-click **Certificate Path Validation Settings**.
+3. On the **Network Retrieval** tab, select the **Define these policy settings** check box.
+4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**.
+
+
+### <a href="" id="bkmk-cortana"></a>2. Cortana
 
 Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
 
-### <a href="" id="bkmk-cortana-gp"></a>1.1 Cortana Group Policies
+### <a href="" id="bkmk-cortana-gp"></a>2.1 Cortana Group Policies
 
 Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Search**.
 
@@ -261,7 +201,10 @@ Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Ad
 | Don't search the web or display web results in Search| Choose whether to search the web from Cortana.                                        |
 | Set what information is shared in Search             | Control what information is shared with Bing in Search.                               |
 
-When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
+In Windows 10, version 1507 and Windows 10, version 1511, When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
+
+>[!IMPORTANT]
+>These steps are not required for devices running Windows 10, version 1607. 
 
 1.  Expand **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Windows Firewall with Advanced Security** &gt; **Windows Firewall with Advanced Security - &lt;LDAP name&gt;**, and then click **Outbound Rules**.
 
@@ -287,9 +230,9 @@ When you enable the **Don't search the web or display web results in Search** Gr
 
     -   For **Remote port**, choose **All ports**.
 
-> **Note:**  If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
+If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
 
-### <a href="" id="bkmk-cortana-mdm"></a>1.2 Cortana MDM policies
+### <a href="" id="bkmk-cortana-mdm"></a>2.2 Cortana MDM policies
 
 The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
 
@@ -298,11 +241,11 @@ The following Cortana MDM policies are available in the [Policy CSP](http://msdn
 | Experience/AllowCortana                              | Choose whether to let Cortana install and run on the device.                                        |
 | Search/AllowSearchToUseLocation                      | Choose whether Cortana and Search can provide location-aware search results. <br /> Default: Allowed|
 
-### <a href="" id="bkmk-cortana-prov"></a>1.3 Cortana Windows Provisioning
+### <a href="" id="bkmk-cortana-prov"></a>2.3 Cortana Windows Provisioning
 
 To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies** to find **Experience** &gt; **AllowCortana** and **Search** &gt; **AllowSearchToUseLocation**.
 
-### <a href="" id="bkmk-datetime"></a>2. Date & Time
+### <a href="" id="bkmk-datetime"></a>3. Date & Time
 
 You can prevent Windows from setting the time automatically.
 
@@ -312,19 +255,20 @@ You can prevent Windows from setting the time automatically.
 
 -   Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
 
-### <a href="" id="bkmk-devinst"></a>3. Device metadata retrieval
+### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
 
 To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**.
 
-### <a href="" id="font-streaming"></a>4. Font streaming
+### <a href="" id="font-streaming"></a>5. Font streaming
 
 Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
 
 To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
 
-> **Note:**  This may change in future versions of Windows.
+> [!NOTE] 
+> This may change in future versions of Windows.
 
-### <a href="" id="bkmk-previewbuilds"></a>5. Insider Preview builds
+### <a href="" id="bkmk-previewbuilds"></a>6. Insider Preview builds
 
 To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
 
@@ -354,11 +298,11 @@ To turn off Insider Preview builds if you're running a released version of Windo
 
     -   **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
 
-### <a href="" id="bkmk-ie"></a>6. Internet Explorer
+### <a href="" id="bkmk-ie"></a>7. Internet Explorer
 
 Use Group Policy to manage settings for Internet Explorer.
 
-### <a href="" id="bkmk-ie-gp"></a>6.1 Internet Explorer Group Policies
+### <a href="" id="bkmk-ie-gp"></a>7.1 Internet Explorer Group Policies
 
 Find the Internet Explorer Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Internet Explorer**.
 
@@ -370,19 +314,26 @@ Find the Internet Explorer Group Policy objects under **Computer Configuration**
 | Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version. <br /> Default: Enabled |
 | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> Default: Disabled|
 
-### <a href="" id="bkmk-ie-activex"></a>6.2 ActiveX control blocking
+There are two more Group Policy objects that are used by Internet Explorer:
+
+| Path | Policy | Description |
+| - | - | - |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page**  | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website. <br /> Default: Enabled |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices. <br /> Default: Enabled |
+
+### <a href="" id="bkmk-ie-activex"></a>7.2 ActiveX control blocking
 
 ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
 
 For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
 
-### <a href="" id="live-tiles"></a>7. Live Tiles
+### <a href="" id="live-tiles"></a>8. Live Tiles
 
 To turn off Live Tiles:
 
 -   Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
 
-### <a href="" id="bkmk-mailsync"></a>8. Mail synchronization
+### <a href="" id="bkmk-mailsync"></a>9. Mail synchronization
 
 To turn off mail synchronization for Microsoft Accounts that are configured on a device:
 
@@ -400,15 +351,29 @@ To turn off the Windows Mail app:
 
 -   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Mail** &gt; **Turn off Windows Mail application**
 
-### <a href="" id="bkmk-edge"></a>9. Microsoft Edge
+### <a href="" id="bkmk-edge"></a>10. Microsoft Edge
 
 Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
 
-### <a href="" id="bkmk-edgegp"></a>9.1 Microsoft Edge Group Policies
+### <a href="" id="bkmk-edgegp"></a>10.1 Microsoft Edge Group Policies
 
 Find the Microsoft Edge Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge**.
 
-> **Note:**  The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
+> [!NOTE] 
+> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes.
+
+| Policy                                               | Description                                                                                         |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Configure autofill                                    | Choose whether employees can use autofill on websites. <br /> Default: Enabled                      |
+| Configure Do Not Track         | Choose whether employees can send Do Not Track headers.<br /> Default: Disabled                     |
+| Configure password manager                            | Choose whether employees can save passwords locally on their devices. <br /> Default: Enabled       |
+| Configure search suggestions in Address bar              | Choose whether the address bar shows search suggestions. <br /> Default: Enabled                    |
+| Configure SmartScreen Filter                      | Choose whether SmartScreen is turned on or off.  <br /> Default: Enabled                            |
+| Allow web content on New Tab page                     | Choose whether a new tab page appears.  <br /> Default: Enabled                                     |
+| Configure Home pages                       | Choose the corporate Home page for domain-joined devices. <br /> Set this to **about:blank**        |
+
+
+The Windows 10, version 1511 Microsoft Edge Group Policy names are:
 
 | Policy                                               | Description                                                                                         |
 |------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@@ -420,7 +385,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
 | Open a new tab with an empty tab                     | Choose whether a new tab page appears.  <br /> Default: Enabled                                     |
 | Configure corporate Home pages                       | Choose the corporate Home page for domain-joined devices. <br /> Set this to **about:blank**        |
 
-### <a href="" id="bkmk-edge-mdm"></a>9.2 Microsoft Edge MDM policies
+### <a href="" id="bkmk-edge-mdm"></a>10.2 Microsoft Edge MDM policies
 
 The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
 
@@ -432,35 +397,42 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
 | Browser/AllowSearchSuggestionsinAddressBar           | Choose whether the address bar shows search suggestions.. <br /> Default: Allowed                   |
 | Browser/AllowSmartScreen                             | Choose whether SmartScreen is turned on or off.  <br /> Default: Allowed                            |
 
-### <a href="" id="bkmk-edge-prov"></a>9.3 Microsoft Edge Windows Provisioning
+### <a href="" id="bkmk-edge-prov"></a>10.3 Microsoft Edge Windows Provisioning
 
 Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies**.
 
 For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
 
-### <a href="" id="bkmk-ncsi"></a>10. Network Connection Status Indicator
+### <a href="" id="bkmk-ncsi"></a>11. Network Connection Status Indicator
 
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+
+In versions of Windows 10 prior to Windows 10, version 1607, the URL was http://www.msftncsi.com. 
 
 You can turn off NCSI through Group Policy:
 
 -   Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests**
 
-> **Note**  After you apply this policy, you must restart the device for the policy setting to take effect.
+> [!NOTE] 
+> After you apply this policy, you must restart the device for the policy setting to take effect.
 
-### <a href="" id="bkmk-offlinemaps"></a>11. Offline maps
+### <a href="" id="bkmk-offlinemaps"></a>12. Offline maps
 
 You can turn off the ability to download and update offline maps.
 
 -   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data**
 
-### <a href="" id="bkmk-onedrive"></a>12. OneDrive
+    -and-
+
+- In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
+
+### <a href="" id="bkmk-onedrive"></a>13. OneDrive
 
 To turn off OneDrive in your organization:
 
 -   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **OneDrive** &gt; **Prevent the usage of OneDrive for file storage**
 
-### <a href="" id="bkmk-preinstalledapps"></a>13. Preinstalled apps
+### <a href="" id="bkmk-preinstalledapps"></a>14. Preinstalled apps
 
 Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
 
@@ -572,47 +544,50 @@ To remove the Get Skype app:
 
     Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
 
-### <a href="" id="bkmk-settingssection"></a>14. Settings &gt; Privacy
+### <a href="" id="bkmk-settingssection"></a>15. Settings &gt; Privacy
 
 Use Settings &gt; Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
 
--   [14.1 General](#bkmk-general)
+-   [15.1 General](#bkmk-general)
 
--   [14.2 Location](#bkmk-priv-location)
+-   [15.2 Location](#bkmk-priv-location)
 
--   [14.3 Camera](#bkmk-priv-camera)
+-   [15.3 Camera](#bkmk-priv-camera)
 
--   [14.4 Microphone](#bkmk-priv-microphone)
+-   [15.4 Microphone](#bkmk-priv-microphone)
 
--   [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+-   [15.5 Notifications](#bkmk-priv-notifications)
 
--   [14.6 Account info](#bkmk-priv-accounts)
+-   [15.6 Speech, inking, & typing](#bkmk-priv-speech)
 
--   [14.7 Contacts](#bkmk-priv-contacts)
+-   [15.7 Account info](#bkmk-priv-accounts)
 
--   [14.8 Calendar](#bkmk-priv-calendar)
+-   [15.8 Contacts](#bkmk-priv-contacts)
 
--   [14.9 Call history](#bkmk-priv-callhistory)
+-   [15.9 Calendar](#bkmk-priv-calendar)
 
--   [14.10 Email](#bkmk-priv-email)
+-   [15.10 Call history](#bkmk-priv-callhistory)
 
--   [14.11 Messaging](#bkmk-priv-messaging)
+-   [15.11 Email](#bkmk-priv-email)
 
--   [14.12 Radios](#bkmk-priv-radios)
+-   [15.12 Messaging](#bkmk-priv-messaging)
 
--   [14.13 Other devices](#bkmk-priv-other-devices)
+-   [15.13 Radios](#bkmk-priv-radios)
 
--   [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+-   [15.14 Other devices](#bkmk-priv-other-devices)
 
--   [14.15 Background apps](#bkmk-priv-background)
+-   [15.15 Feedback & diagnostics](#bkmk-priv-feedback)
 
-### <a href="" id="bkmk-general"></a>14.1 General
+-   [15.16 Background apps](#bkmk-priv-background)
+
+### <a href="" id="bkmk-general"></a>15.1 General
 
 **General** includes options that don't fall into other areas.
 
 To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
 
-> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
+> [!NOTE] 
+> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
 
 -   Turn off the feature in the UI.
 
@@ -648,11 +623,12 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window
 
     -or-
 
--   Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
+-   Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero).
 
 To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
 
-> **Note: **  If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
+> [!NOTE] 
+> If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
 
  
 
@@ -674,7 +650,15 @@ To turn off **Let websites provide locally relevant content by accessing my lang
 
 -   Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
 
-### <a href="" id="bkmk-priv-location"></a>14.2 Location
+To turn off **Let apps on my other devices open apps and continue experiences on this devices**:
+
+- Turn off the feature in the UI.
+
+To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**:
+
+- Turn off the feature in the UI.
+
+### <a href="" id="bkmk-priv-location"></a>15.2 Location
 
 In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
 
@@ -696,8 +680,8 @@ To turn off **Location for this device**:
 
     -   **2**. Turned on and the employee can't turn it off.
 
-    **Note**  
-    You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+    > [!NOTE]   
+    > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
 
     -or-
 
@@ -725,7 +709,7 @@ To turn off **Choose apps that can use your location**:
 
 -   Turn off each app using the UI.
 
-### <a href="" id="bkmk-priv-camera"></a>14.3 Camera
+### <a href="" id="bkmk-priv-camera"></a>15.3 Camera
 
 In the **Camera** area, you can choose which apps can access a device's camera.
 
@@ -747,8 +731,8 @@ To turn off **Let apps use my camera**:
 
     -   **1**. Apps can use the camera.
 
-    **Note**  
-    You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+    > [!NOTE]
+    > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
     
    -or-
 
@@ -762,7 +746,7 @@ To turn off **Choose apps that can use your camera**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-microphone"></a>14.4 Microphone
+### <a href="" id="bkmk-priv-microphone"></a>15.4 Microphone
 
 In the **Microphone** area, you can choose which apps can access a device's microphone.
 
@@ -780,13 +764,26 @@ To turn off **Choose apps that can use your microphone**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-speech"></a>14.5 Speech, inking, & typing
+### <a href="" id="bkmk-priv-notifications"></a>15.5 Notifications
+
+In the **Notifications** area, you can choose which apps have access to notifications.
+
+To turn off **Let apps access my notifications**:
+
+-   Turn off the feature in the UI.
+
+   -or-
+
+-   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+### <a href="" id="bkmk-priv-speech"></a>15.6 Speech, inking, & typing
 
 In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
 
-> **Note:**  For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
-
- 
+> [!NOTE] 
+> For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
 
 To turn off the functionality:
 
@@ -802,9 +799,21 @@ To turn off the functionality:
 
    -and-
 
-    Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
+-  Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
 
-### <a href="" id="bkmk-priv-accounts"></a>14.6 Account info
+
+If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models:
+
+Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where:
+
+-   **0** (default). Not allowed.
+-   **1**. Allowed.
+
+   -or-
+
+- Create a REG\_DWORD registry setting called **AllowSpeechModelUpdate** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\Current\\Device\\Speech**, with a value of 0 (zero).
+
+### <a href="" id="bkmk-priv-accounts"></a>15.7 Account info
 
 In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
 
@@ -822,7 +831,7 @@ To turn off **Choose the apps that can access your account info**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-contacts"></a>14.7 Contacts
+### <a href="" id="bkmk-priv-contacts"></a>15.8 Contacts
 
 In the **Contacts** area, you can choose which apps can access an employee's contacts list.
 
@@ -836,7 +845,7 @@ To turn off **Choose apps that can access contacts**:
 
     -   Set the **Select a setting** box to **Force Deny**.
 
-### <a href="" id="bkmk-priv-calendar"></a>14.8 Calendar
+### <a href="" id="bkmk-priv-calendar"></a>15.9 Calendar
 
 In the **Calendar** area, you can choose which apps have access to an employee's calendar.
 
@@ -854,7 +863,7 @@ To turn off **Choose apps that can access calendar**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-callhistory"></a>14.9 Call history
+### <a href="" id="bkmk-priv-callhistory"></a>15.10 Call history
 
 In the **Call history** area, you can choose which apps have access to an employee's call history.
 
@@ -868,7 +877,7 @@ To turn off **Let apps access my call history**:
 
     -   Set the **Select a setting** box to **Force Deny**.
 
-### <a href="" id="bkmk-priv-email"></a>14.10 Email
+### <a href="" id="bkmk-priv-email"></a>15.11 Email
 
 In the **Email** area, you can choose which apps have can access and send email.
 
@@ -882,7 +891,7 @@ To turn off **Let apps access and send email**:
 
     -   Set the **Select a setting** box to **Force Deny**.
 
-### <a href="" id="bkmk-priv-messaging"></a>14.11 Messaging
+### <a href="" id="bkmk-priv-messaging"></a>15.12 Messaging
 
 In the **Messaging** area, you can choose which apps can read or send messages.
 
@@ -900,7 +909,7 @@ To turn off **Choose apps that can read or send messages**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-radios"></a>14.12 Radios
+### <a href="" id="bkmk-priv-radios"></a>15.13 Radios
 
 In the **Radios** area, you can choose which apps can turn a device's radio on or off.
 
@@ -918,7 +927,7 @@ To turn off **Choose apps that can control radios**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-priv-other-devices"></a>14.13 Other devices
+### <a href="" id="bkmk-priv-other-devices"></a>15.14 Other devices
 
 In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
 
@@ -936,14 +945,14 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
 
     -   Set the **Select a setting** box to **Force Deny**.
 
-### <a href="" id="bkmk-priv-feedback"></a>14.14 Feedback & diagnostics
+### <a href="" id="bkmk-priv-feedback"></a>15.15 Feedback & diagnostics
 
 In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
 
 To change how frequently **Windows should ask for my feedback**:
 
-**Note**  
-Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
+> [!NOTE] 
+> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
 
  
 
@@ -977,7 +986,8 @@ To change the level of diagnostic and usage data sent when you **Send your devic
 
 -   To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
 
-    > **Note:**  You can't use the UI to change the telemetry level to **Security**.
+    > [!NOTE] 
+    > You can't use the UI to change the telemetry level to **Security**.
 
      
 
@@ -1009,7 +1019,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
 
     -   **3**. Maps to the **Full** level.
 
-### <a href="" id="bkmk-priv-background"></a>14.15 Background apps
+### <a href="" id="bkmk-priv-background"></a>15.16 Background apps
 
 In the **Background Apps** area, you can choose which apps can run in the background.
 
@@ -1017,7 +1027,7 @@ To turn off **Let apps run in the background**:
 
 -   Turn off the feature in the UI for each app.
 
-### <a href="" id="bkmk-spp"></a>15. Software Protection Platform
+### <a href="" id="bkmk-spp"></a>16. Software Protection Platform
 
 Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
 
@@ -1025,7 +1035,7 @@ Enterprise customers can manage their Windows activation status with volume lice
 
 The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
 
-### <a href="" id="bkmk-syncsettings"></a>16. Sync your settings
+### <a href="" id="bkmk-syncsettings"></a>17. Sync your settings
 
 You can control if your settings are synchronized:
 
@@ -1051,13 +1061,13 @@ To turn off Messaging cloud sync:
 
 -   Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
 
-### <a href="" id="bkmk-teredo"></a>17. Teredo
+### <a href="" id="bkmk-teredo"></a>18. Teredo
 
 You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
 
 -   From an elevated command prompt, run **netsh interface teredo set state disabled**
 
-### <a href="" id="bkmk-wifisense"></a>18. Wi-Fi Sense
+### <a href="" id="bkmk-wifisense"></a>19. Wi-Fi Sense
 
 Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
 
@@ -1083,7 +1093,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
 
 When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
 
-### <a href="" id="bkmk-defender"></a>19. Windows Defender
+### <a href="" id="bkmk-defender"></a>20. Windows Defender
 
 You can disconnect from the Microsoft Antimalware Protection Service.
 
@@ -1127,11 +1137,15 @@ You can stop downloading definition updates:
 
     -and-
 
--   Enable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
+-   Disable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
+
+You can stop Enhanced Notifications:
+
+- Turn off the feature in the UI.
 
 You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
 
-### <a href="" id="bkmk-wmp"></a>20. Windows Media Player
+### <a href="" id="bkmk-wmp"></a>21. Windows Media Player
 
 To remove Windows Media Player:
 
@@ -1141,9 +1155,15 @@ To remove Windows Media Player:
 
 -   Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
 
-### <a href="" id="bkmk-spotlight"></a>21. Windows spotlight
+### <a href="" id="bkmk-spotlight"></a>22. Windows spotlight
 
-Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
+Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy.
+
+If you're running Windows 10, version 1607 or later, you only need to enable the following Group Policy:
+
+- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
+
+If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
 
 -   Configure the following in **Settings**:
 
@@ -1162,7 +1182,8 @@ Windows spotlight provides different background images and text on the lock scre
 
         -   Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
 
-        **Note**  This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**.
+        > [!NOTE] 
+        > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**.
 
          
 
@@ -1170,15 +1191,15 @@ Windows spotlight provides different background images and text on the lock scre
 
     -   **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Cloud Content** &gt; **Turn off Microsoft consumer experiences**.
 
-For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
+For more info, see [Manage user experiences in Windows 10, version 1607](../manage/manage-user-experiences-windows-10.md).
 
-### <a href="" id="bkmk-windowsstore"></a>22. Windows Store
+### <a href="" id="bkmk-windowsstore"></a>23. Windows Store
 
 You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
 
 -   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Disable all apps from Windows Store**.
 
-### <a href="" id="bkmk-updates"></a>23. Windows Update Delivery Optimization
+### <a href="" id="bkmk-updates"></a>24. Windows Update Delivery Optimization
 
 Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
 
@@ -1186,38 +1207,40 @@ By default, PCs running Windows 10 Enterprise and Windows 10 Education will only
 
 Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
 
-### <a href="" id="bkmk-wudo-ui"></a>23.1 Settings &gt; Update & security
+In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below.
+
+### <a href="" id="bkmk-wudo-ui"></a>24.1 Settings &gt; Update & security
 
 You can set up Delivery Optimization from the **Settings** UI.
 
 -   Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**.
 
-### <a href="" id="bkmk-wudo-gp"></a>23.2 Delivery Optimization Group Policies
+### <a href="" id="bkmk-wudo-gp"></a>24.2 Delivery Optimization Group Policies
 
 You can find the Delivery Optimization Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Delivery Optimization**.
 
 | Policy                    | Description                                                                                         |
 |---------------------------|-----------------------------------------------------------------------------------------------------|
-| Download Mode             | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>None</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>Group</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>Internet</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>LAN</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li></ul>|
-| Group ID                  | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> ** Note** This ID must be a GUID.|
+| Download Mode             | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>None</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>Group</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>Internet</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>LAN</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>Simple</strong>. Simple download mode with no peering.</p></li><li><p><strong>Bypass</strong>. Use BITS instead of Windows Update Delivery Optimization.</p></li></ul>|
+| Group ID                  | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> **Note:** This ID must be a GUID.|
 | Max Cache Age             | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache. <br /> The default value is 259200 seconds (3 days).|
 | Max Cache Size            | Lets you specify the maximum cache size as a percentage of disk size. <br /> The default value is 20, which represents 20% of the disk.|
 | Max Upload Bandwidth      | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. <br /> The default value is 0, which means unlimited possible bandwidth.|
 
-### <a href="" id="bkmk-wudo-mdm"></a>23.3 Delivery Optimization MDM policies
+### <a href="" id="bkmk-wudo-mdm"></a>24.3 Delivery Optimization MDM policies
 
 The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
 
 | Policy                    | Description                                                                                         |
 |---------------------------|-----------------------------------------------------------------------------------------------------|
-| DeliveryOptimization/DODownloadMode             | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>0</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>1</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>2</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>3</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li></ul>|
+| DeliveryOptimization/DODownloadMode             | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>0</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>1</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>2</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>3</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>99</strong>. Simple download mode with no peering.</p></li><li><p><strong>100</strong>. Use BITS instead of Windows Update Delivery Optimization.</p></li></ul>|
 | DeliveryOptimization/DOGroupID                 | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> **Note** This ID must be a GUID.|
 | DeliveryOptimization/DOMaxCacheAge             | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache. <br /> The default value is 259200 seconds (3 days).|
 | DeliveryOptimization/DOMaxCacheSize            | Lets you specify the maximum cache size as a percentage of disk size. <br /> The default value is 20, which represents 20% of the disk.|
 | DeliveryOptimization/DOMaxUploadBandwidth      | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. <br /> The default value is 0, which means unlimited possible bandwidth.|
 
 
-### <a href="" id="bkmk-wudo-prov"></a>23.4 Delivery Optimization Windows Provisioning
+### <a href="" id="bkmk-wudo-prov"></a>24.4 Delivery Optimization Windows Provisioning
 
 If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
 
@@ -1233,7 +1256,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo
 
 For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
 
-### <a href="" id="bkmk-wu"></a>24. Windows Update
+### <a href="" id="bkmk-wu"></a>25. Windows Update
 
 You can turn off Windows Update by setting the following registry entries:
 
@@ -1243,6 +1266,11 @@ You can turn off Windows Update by setting the following registry entries:
 
 -   Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
 
+    -and-
+
+-   Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1.
+
+
 You can turn off automatic updates by doing one of the following. This is not recommended.
 
 -   Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.

windows/manage/manage-corporate-devices.md

@@ -115,6 +115,7 @@ Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager &
 
 ## Related topics
 
+[Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
 
 - [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) 
 - [New policies for Windows 10](new-policies-for-windows-10.md)

windows/manage/manage-tips-and-suggestions.md

@@ -0,0 +1,63 @@
+---
+title: Manage Windows 10 and Windows Store tips, tricks, and suggestions (Windows 10)
+description: Windows 10 provides organizations with various options to manage auser experiences to provide a consistent and predictable experience for employees. 
+keywords: ["device management"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: devices
+author: jdeckerMS
+---
+
+# Manage Windows 10 and Windows Store tips, tricks, and suggestions
+
+
+**Applies to**
+
+-   Windows 10
+
+> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
+
+Since its inception, Windows 10 has included a number of user experience features that provide useful tips, tricks, and suggestions as you use Windows, we well as app suggestions from the Windows Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Windows Store. Examples of such user experiences include: 
+
+* **Windows Spotlight on the lock screen**.  Daily updated images on the lock screen that can include additional facts and tips in “hotspots” that are revealed on hover. 
+
+* **Start menu app suggestions**. App suggestions in Start that recommend productivity tool or utilities from the Windows Store. 
+
+* **Additional apps on Start**.  Additional apps pre-installed on the Start screen which can enhance the user’s experience. 
+
+* **Windows tips**.  Contextual tips that appear based on specific user actions to reveal related Windows features or help users complete a scenario. 
+
+* **Microsoft account notifications**.  For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration. 
+
+Windows 10 tips, tricks, and suggestions and Windows Store suggestions can be turned on or off by users.  For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, tricks, or suggestions as they use Windows.   
+
+Windows 10, version 1607 (also known as the Anniversary Update), provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions.  
+
+## Options available to manage Windows 10 tips and tricks and Windows Store suggestions
+
+| Windows 10 edition | Disable |Show Microsoft apps only | Show Microsoft and popular third-party apps |
+| --- | --- | --- | --- |
+| Windows 10 Pro | No | Yes | Yes (default)  |
+| Windows 10 Enterprise | Yes  | Yes | Yes (default)  |
+| Windows 10 Pro Education | Yes (default)  | Yes | No (setting cannot be changed) |
+| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) |
+
+
+
+## Related topics
+
+- [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md)
+- [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
+- [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md)
+- [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers)
+
+
+ 
+
+ 
+
+
+
+
+

windows/plan/TOC.md

@@ -13,29 +13,99 @@
 ### [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
 ### [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
 ## [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md)
-### [Standard User Analyzer (SUA) User's Guide](sua-users-guide.md)
-#### [Using the SUA Wizard](using-the-sua-wizard.md)
-#### [Using the SUA Tool](using-the-sua-tool.md)
-##### [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
-##### [Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
-##### [Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
-##### [Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
-### [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-#### [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
-##### [Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)
-##### [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)
-##### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
-##### [Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
-##### [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
-##### [Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)
-##### [Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)
-##### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
-##### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
-#### [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
-##### [Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)
-##### [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)
-##### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)
-#### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)
+### [Welcome to ACT](welcome-to-act.md)
+#### [What's New in ACT 6.1](whats-new-in-act-60.md)
+#### [Software Requirements for ACT](software-requirements-for-act.md)
+#### [Software Requirements for RAP](software-requirements-for-rap.md)
+### [Configuring ACT](configuring-act.md)
+#### [ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
+#### [ACT Deployment Options](act-deployment-options.md)
+#### [ACT Database Configuration](act-database-configuration.md)
+#### [ACT Database Migration](act-database-migration.md)
+#### [ACT LPS Share Permissions](act-lps-share-permissions.md)
+### [Using ACT](using-act.md)
+#### [Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
+##### [Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)
+##### [Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)
+##### [Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)
+#### [Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
+##### [Deciding Which Applications to Test](deciding-which-applications-to-test.md)
+##### [Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
+##### [Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
+##### [Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
+##### [Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
+###### [Using Compatibility Monitor to Send Feedback](using-compatibility-monitor-to-send-feedback.md)
+###### [Common Compatibility Issues](common-compatibility-issues.md)
+#### [Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
+##### [Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
+##### [Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
+##### [Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
+##### [Labeling Data in ACM](labeling-data-in-acm.md)
+#### [Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
+##### [Viewing Your Compatibility Reports](viewing-your-compatibility-reports.md)
+###### [<OperatingSystem> - Application Report](act-operatingsystem-application-report.md)
+####### [<Application> Dialog Box](application-dialog-box.md)
+###### [<OperatingSystem> - Computer Report](act-operatingsystem-computer-report.md)
+####### [<Computer> Dialog Box](computer-dialog-box.md)
+###### [<OperatingSystem> - Device Report](act-operatingsystem-device-report.md)
+####### [<Device> Dialog Box](device-dialog-box.md)
+###### [Internet Explorer - Web Site Report](internet-explorer-web-site-report.md)
+####### [<WebsiteURL> Dialog Box](websiteurl-dialog-box.md)
+###### [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md)
+###### [Customizing Your Report Views](customizing-your-report-views.md)
+##### [Organizing Your Compatibility Data](organizing-your-compatibility-data.md)
+###### [Organizational Tasks for Each Report Type](organizational-tasks-for-each-report-type.md)
+###### [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)
+###### [Selecting Your Deployment Status](selecting-your-deployment-status.md)
+###### [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md)
+###### [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md)
+###### [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)
+###### [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md)
+####### [Adding or Editing an Issue](adding-or-editing-an-issue.md)
+####### [Adding or Editing a Solution](adding-or-editing-a-solution.md)
+####### [Resolving an Issue](resolving-an-issue.md)
+##### [Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
+###### [Example Filter Queries](example-filter-queries.md)
+##### [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
+###### [Data Sent Through the Microsoft Compatibility Exchange](data-sent-through-the-microsoft-compatibility-exchange.md)
+###### [ACT Community Ratings and Process](act-community-ratings-and-process.md)
+#### [Fixing Compatibility Issues](fixing-compatibility-issues.md)
+##### [Deciding Whether to Fix an Application or Deploy a Workaround](deciding-whether-to-fix-an-application-or-deploy-a-workaround.md)
+##### [SUA User's Guide](sua-users-guide.md)
+###### [Using the SUA Wizard](using-the-sua-wizard.md)
+###### [Using the SUA Tool](using-the-sua-tool.md)
+####### [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
+####### [Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
+####### [Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
+####### [Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
+##### [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+###### [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
+####### [Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)
+####### [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)
+####### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
+####### [Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
+####### [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
+####### [Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)
+####### [Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)
+####### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
+####### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
+###### [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
+####### [Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)
+####### [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)
+####### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)
+###### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)
+### [Troubleshooting ACT](troubleshooting-act.md)
+#### [Troubleshooting the ACT Configuration Wizard](troubleshooting-the-act-configuration-wizard.md)
+#### [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md)
+#### [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md)
+### [ACT User Interface Reference](act-user-interface-reference.md)
+#### [Toolbar Icons in ACM](act-toolbar-icons-in-acm.md)
+#### [Ratings Icons in ACM](ratings-icons-in-acm.md)
+#### [Activating and Closing Windows in ACM](activating-and-closing-windows-in-acm.md)
+#### [Settings for ACM](settings-for-acm.md)
+##### [Settings Dialog Box - Settings Tab](act-settings-dialog-box-settings-tab.md)
+##### [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md)
+### [ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
+### [ACT Glossary](act-glossary.md)
 ### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)
-
+## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)

windows/plan/change-history-for-plan-for-windows-10-deployment.md

@@ -24,7 +24,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 
 | New or changed topic                                                                                                                             | Description |
 |--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.|
+|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.|
 | [Windows 10 servicing overview](windows-10-servicing-options.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md) page. |
 
 

windows/whats-new/edge-ie11-whats-new-overview.md

@@ -1,56 +1,6 @@
 ---
 title: Browser Microsoft Edge and Internet Explorer 11 (Windows 10)
 description: Resources to help you explore the Windows 10 browsing options for your enterprise.
-ms.assetid: e986f903-69ad-4145-9d24-0c6d04b3e489
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: mobile
-author: eross-msft
+redirect_url: https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11
 ---
 
-# Browser: Microsoft Edge and Internet Explorer 11
-**Microsoft Edge content applies to:**
-
--   Windows 10
--   Windows 10 Mobile
-
-**Internet Explorer 11 content applies to:**
-
--   Windows 10
-
-## Enterprise guidance
-Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
-
-We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
-
-### Microsoft Edge
-Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
-
--   **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
--   **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
--   **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
--   **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
-
-### IE11
-IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
-
--   **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
--   **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
--   **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
--   **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
--   **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
--   **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
-
-## Related topics
-- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
-- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
-- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
-- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
-- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
-- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
-
-
-
-
-

windows/whats-new/edp-whats-new-overview.md

@@ -1,81 +1,5 @@
 ---
 title: Enterprise data protection (EDP) overview (Windows 10)
 description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.
-ms.assetid: 428A3135-CB5E-478B-B1FF-B6EB76F0DF14
-keywords: EDP Overview, EDP
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: mobile, security
-author: eross-msft
----
-
-# Enterprise data protection (EDP) overview
-
-**Applies to:**
--   Windows 10 Insider Preview
--   Windows 10 Mobile Preview
-
-<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-
-Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-
-## Benefits of EDP
-
-EDP provides:
-- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
-
-- Additional data protection for existing line-of-business apps without a need to update the apps.
-
-- Ability to wipe corporate data from devices while leaving personal data alone.
-
-- Use of audit reports for tracking issues and remedial actions.
-
-- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later), or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company.
-
-## Enterprise scenarios
-EDP currently addresses these enterprise scenarios:
-- You can encrypt enterprise data on employee-owned and corporate-owned devices.
-
-- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
-
-- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
-
-- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
-
-## Why use EDP?
-EDP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-
-- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. EDP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
-
-- **Manage your enterprise documents, apps, and encryption modes.**
-
-    - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
-
-    - **Using allowed apps.** Managed apps (apps that you've included on the allowed apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
-
-    - **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your EDP management-mode.
-    
-    You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in your protected apps list.
-
-    - **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list.
-
-    - **Data encryption at rest.** EDP helps protect enterprise data on local files and on removable media.
-    
-    Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
-
-    - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
-
-    - **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-
-    - **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
-
-## Turn off EDP
-
-You can turn off all enterprise data protection and restrictions, reverting to where you were pre-EDP, with no data loss. However, turning off EDP isn't recommended. If you choose to turn it off, you can always turn it back on, but EDP won't retain your decryption and policies info.
-
-## Related topics
-- [Protect your enterprise data using enterprise data protection (EDP)](../keep-secure/protect-enterprise-data-using-edp.md)
- 
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip
+---

windows/whats-new/whats-new-windows-10-version-1507-and-1511.md

@@ -316,6 +316,22 @@ Learn more about [Windows Update for Business](../plan/windows-update-for-busine
 
 For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).
 
+## Microsoft Edge
+Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
+
+-   **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
+-   **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
+-   **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
+-   **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
+
+### Enterprise guidance
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
+
+We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
+
+[Learn more about using Microsoft Edge in the enterprise](https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11)
+
+
 ## Learn more
 
 - [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)

windows/whats-new/whats-new-windows-10-version-1607.md

@@ -54,7 +54,16 @@ Additional changes for Windows Hello in Windows 10, version 1607:
 - New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
 - Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
 
- 
+### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+
+Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
+
+- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
+- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
+
+[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip)
+
 ## Management
 
 ### Use Remote Desktop Connection for PCs joined to Azure Active Directory