Merge remote-tracking branch 'refs/remotes/origin/master' into live

devices/hololens/hololens-requirements.md

@@ -45,11 +45,11 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
 
 ## Related resources
 
-[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/)
+[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/documentation/articles/active-directory-get-started-premium/)
 
-[Get started with Intune](https://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
+[Get started with Intune](https://docs.microsoft.com/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
 
-[Enroll devices for management in Intune](https://docs.microsoft.com/en-us/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
+[Enroll devices for management in Intune](https://docs.microsoft.com/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
 
-[Azure AD editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)
+[Azure AD editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/)
 

mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md

@@ -597,15 +597,19 @@ The UE-V settings storage location and settings template catalog support storing
 
 -   Format the storage volume with an NTFS file system.
 
--   The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is specifically not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see [Microsoft’s Support Statement Around Replicated User Profile Data](https://go.microsoft.com/fwlink/p/?LinkId=313991).
+-   The share can use Distributed File System (DFS) but there are restrictions. 
+Specifically, Distributed File System Replication (DFS-R) single target configuration with or without a Distributed File System Namespace (DFS-N) is supported. 
+Likewise, only single target configuration is supported with DFS-N.
+For detailed information, see [Microsoft’s Support Statement Around Replicated User Profile Data](https://go.microsoft.com/fwlink/p/?LinkId=313991)
+and also [Information about Microsoft support policy for a DFS-R and DFS-N deployment scenario](https://support.microsoft.com/kb/2533009).
 
-    In addition, because SYSVOL uses DFSR for replication, SYSVOL cannot be used for UE-V data file replication.
+    In addition, because SYSVOL uses DFS-R for replication, SYSVOL cannot be used for UE-V data file replication.
 
 -   Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the Settings Storage Location for UE-V 2.x](http://technet.microsoft.com/library/dn458891.aspx#ssl).
 
 -   Use file server clustering along with the UE-V Agent to provide access to copies of user state data in the event of communications failures.
 
--   You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFSN shares, or on both.
+-   You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFS-N shares, or on both.
 
 ### <a href="" id="clocksync"></a>Synchronize computer clocks for UE-V settings synchronization
 

windows/keep-secure/bcd-settings-and-bitlocker.md

@@ -131,7 +131,6 @@ This following is a full list of BCD settings with friendly names which are igno
 | 0x15000052 | all| graphicsresolution| 
 | 0x15000065 | all| displaymessage| 
 | 0x15000066| all| displaymessageoverride| 
-| 0x15000081 | all| logcontrol|
 | 0x16000009 | all| recoveryenabled| 
 | 0x1600000b | all| badmemoryaccess| 
 | 0x1600000f | all| traditionalkseg| 

windows/keep-secure/bitlocker-group-policy-settings.md

@@ -32,6 +32,7 @@ The following sections provide a comprehensive list of BitLocker Group Policy se
 
 The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.
 
+-   [Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN](#bkmk-hstioptout)
 -   [Allow network unlock at startup](#bkmk-netunlock)
 -   [Require additional authentication at startup](#bkmk-unlockpol1)
 -   [Allow enhanced PINs for startup](#bkmk-unlockpol2)
@@ -85,6 +86,55 @@ The following policies are used to support customized deployment scenarios in yo
 -   [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4)
 -   [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5)
 
+### <a href="" id="bkmk-hstioptout"></a>Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN
+
+This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
+ 
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support InstantGo or HSTI, while requiring PIN on older devices.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows 10, version 1703</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>This setting overrides the <b>Require startup PIN with TPM</b> option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware. 
+
+</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.</p></td>
+</tr>
+</tbody>
+</table>
+ 
+**Reference**
+
+The preboot authentication option <b>Require startup PIN with TPM</b> of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support InstantGo. 
+But visually impaired users have no audible way to know when to enter a PIN. 
+This setting enables an exception to the PIN-required policy on secure hardware. 
+
 ### <a href="" id="bkmk-netunlock"></a>Allow network unlock at startup
 
 This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.

windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md

@@ -26,8 +26,8 @@ This section addresses issues that might arise as you use the Windows Defender A
 If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
 Configure your browser to allow cookies.
 
-### Data is missing on the portal
-If data is missing on the Windows Defender ATP portal it’s possible that proxy settings are blocking it.
+### Elements or data missing on the portal
+If some UI elements or data is missing on the Windows Defender ATP portal it’s possible that proxy settings are blocking it.
 
 Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
 

windows/manage/manage-windows-10-in-your-organization-modern-management.md

@@ -81,7 +81,7 @@ You can envision user and device management as falling into these two categories
 
     Domain joined PCs and tablets can continue to be managed with the [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) client or Group Policy.
 
-For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices/).
+For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/).
 
 As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
 

windows/manage/update-compliance-get-started.md

@@ -109,7 +109,20 @@ In order for your devices to show up in Windows Analytics: Update Compliance, th
     3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.<P>
 
 - Using Microsoft Mobile Device Management (MDM)<BR><BR>
-    Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).  
+    Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp). 
+    
+    For information on how to use MDM configuration CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/en-us/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
+
+    When using the Intune console, you can use the OMA-URI settings of a [custom policy](https://go.microsoft.com/fwlink/p/?LinkID=616316) to configure the commercial ID. The OMA-URI (case sensitive) path for configuring the commerical ID is: <PRE>./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID</PRE>
+
+    For example, you can use the following values in **Add or edit OMA-URI Setting**:
+    
+    **Setting Name**: Windows Analytics Commercial ID<BR>
+    **Setting Description**: Configuring commercial id for Windows Analytics solutions<BR>
+    **Data Type**: String<BR>
+    **OMA-URI (case sensitive)**: ./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID<BR>
+    **Value**: \<Use the GUID shown on the Windows Telemetry tab in your OMS workspace\><BR>
+
 
 
 ## Related topics