```**Note**
You must use this format and the angle brackets if you have multiple pages.
**Disable or not configured (default):** Uses the corporate Home pages and URLs specified in the App settings. |
-| Configure the Enterprise Mode Site List | Whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. | **Enable:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured. If you use this option, you must also add the location to your site list in the **{URI}** box. When configured, any site on the list will always open in IE11.
**Disable or not configured:** You won't be able to use the Enterprise Mode Site List. |
-| Configure Favorites | Decide what sites appear on the default **Favorites** list. | **Enable:** Configure the default list of **Favorite** sites for your employees. If you use this option, you must also add the actual names and URLs for the sites.
**Disable or not configured (default):** Uses the **Favorites** list names and URLs specified in the **Favorites** hub. |
-| Don’t allow SmartScreen Filter warning overrides | Whether employees can override the SmartScreen Filter warnings about potentially malicious websites. | **Enable:** Stops employees from ignoring the SmartScreen Filter warnings and blocks them from visiting the site.
**Disable or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about potentially malicious sites and continue to the site.
**Note**
You can also turn on the SmartScreen Filter, using the **Turn off the SmartScreen Filter** setting and stop employees from ignoring the SmartScreen Filter warnings about unverified file downloads, using the **Don’t allow SmartScreen Filter warning overrides for unverified files** setting. |
-| Don’t allow SmartScreen Filter warning overrides for unverified files | Whether employees can override the SmartScreen Filter warnings about downloading unverified files. | **Enable:** Stops employees from ignoring the SmartScreen Filter warnings and stops them from downloading unverified files.
**Disable or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about unverified files and lets them continue the download process.
**Note**
You can also turn on the SmartScreen Filter, using the **Turn off the SmartScreen Filter** setting and stop employees from ignoring the SmartScreen Filter warnings about potentially dangerous websites, using the **Don’t allow SmartScreen Filter warning overrides** setting. |
-| Don't allow WebRTC to share the LocalHost IP address | Whether an employee’s LocalHost IP address shows while using the WebRTC protocol | **Enable:** Hides the LocalHost IP address while using the WebRTC protocol.
**Disable or not configured (default):** Shows the LocalHost IP address while using the WebRTC protocol. |
-| Send all intranet sites to IE11 | Whether your intranet sites should all open using IE11.
**Important:** This setting should only be used if there are known compatibility problems with Microsoft Edge. | **Enable:** Automatically opens all intranet sites using IE11.
**Disable or not configured (default):** Automatically opens all intranet sites using Microsoft Edge. |
-| Turn off **Address** bar search suggestions | Whether search suggestions should appear in the **Address** bar of Microsoft Edge. | **Enable or not configured (default):** Employees can see search suggestions in the **Address** bar of Microsoft Edge.
**Disable:** Employees can’t see search suggestions in the **Address** bar of Microsoft Edge. |
-| Turn off Autofill | Whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. | **Enable or not configured (default):** Employees can use Autofill to complete form fields.
**Disable:** Employees can’t use Autofill to complete form fields. |
-| Turn off Developer Tools | Whether the F12 Developer Tools are available on Microsoft Edge. | **Enable or not configured (default):** Shows the F12 Developer Tools on Microsoft Edge.
**Disable:** Hides the F12 Developer Tools on Microsoft Edge. |
-| Turn off InPrivate browsing | Whether employees can browse using InPrivate website browsing. | **Enable or not configured (default):** Lets employees use InPrivate browsing while on the corporate network.
**Disable:** Stops employees from using inPrivate browsing on the corporate network. |
-| Turn off Password Manager | Whether employees can save their passwords locally, using Password Manager. | **Enable or not configured (default):** Employees can use Password Manager to save passwords locally.
**Disable:** Employees can't use Password Manager to save passwords locally. |
-| Turn off Pop-up Blocker | Whether to turn on Pop-up Blocker and allow pop-ups to appear in secondary windows. | **Enable or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows.
**Disable:** Turns off Pop-up Blocker, allowing pop-up windows. |
-|Turn off the SmartScreen Filter | Whether to turn on SmartScreen Filter to help protect your employees from potential phishing scams and malicious software. | **Enable or not configured (default):** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.
**Disable:** Turns off SmartScreen Filter.
**Note**
You can also stop employees from ignoring the SmartScreen Filter warnings about potentially dangerous websites, using the **Don’t allow SmartScreen Filter warning overrides** setting and stop employees from ignoring the SmartScreen Filter warnings about unverified file downloads, using the **Don’t allow SmartScreen Filter warning overrides for unverified files** setting. |
-
-
+| Policy name |Supported versions |Description |Options |
+|-------------|------------|-------------|--------|
+|Allow Developer Tools |Windows 10, Version 1511 or later |This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.
If you enable or don’t configure this setting, the F12 Developer Tools are available in Microsoft Edge.
If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge. |**Enabled or not configured (default):** Shows the F12 Developer Tools on Microsoft Edge.
**Disabled:** Hides the F12 Developer Tools on Microsoft Edge. |
+|Allow InPrivate browsing |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can browse using InPrivate website browsing.
If you enable or don’t configure this setting, employees can use InPrivate website browsing.
If you disable this setting, employees can’t use InPrivate website browsing. |**Enabled or not configured (default):** Lets employees use InPrivate website browsing.
**Disabled:** Stops employees from using InPrivate website browsing. |
+|Allow web content on New Tab page |Windows 10 or later |This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it.
If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.
If you disable this setting, Microsoft Edge opens a new tab with a blank page.
If you don’t configure this setting, employees can choose how new tabs appears. |**Not configured (default):** Employees see web content on New Tab page, but can change it.
**Enabled:** Employees see web content on New Tab page.
**Disabled:** Employees always see an empty new tab. |
+|Configure Autofill |Windows 10 or later |This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill.
If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge.
If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge.
If you don’t configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. |**Not configured (default):** Employees can choose to turn Autofill on or off.
**Enabled:** Employees can use Autofill to complete form fields.
**Disabled:** Employees can’t use Autofill to complete form fields. |
+|Configure cookies |Windows 10 or later|This setting lets you configure how to work with cookies.
If you enable this setting, you must also decide whether to:
- **Allow all cookies (default):** Allows all cookies from all websites.
- **Block all cookies:** Blocks all cookies from all websites.
- **Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites.
If you disable or don't configure this setting, all cookies are allowed from all sites. |**Enabled:** Lets you decide how your company treats cookies.
If you use this option, you must also choose whether to:
- **Allow all cookies (default):** Allows all cookies from all websites.
- **Block all cookies:** Blocks all cookies from all websites.
- **Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites.
**Disabled or not configured:** All cookies are allowed from all sites.|
+|Configure Do Not Track |Windows 10 or later |This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests.
If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info.
If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info.
If you don’t configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info. |**Not configured (default):** Employees can choose to send Do Not Track headers on or off.
**Enabled:** Employees can send Do Not Track requests to websites requesting tracking info.
**Disabled:** Employees can’t send Do Not Track requests to websites requesting tracking info. |
+|Configure Edge Extensions |Windows 10 Insider Preview |This policy setting lets you decide whether employees can use Edge Extensions.
If you enable or don’t configure this setting, employees can use Edge Extensions.
If you disable this setting, employees can’t use Edge Extensions. |**Enabled or not configured:** Lets employees use Edge Extensions.
**Disabled:** Stops employees from using Edge Extensions. |
+|Configure Favorites |Windows 10, Version 1511 or later |This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.
If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed.
If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub. |**Enabled:** Configure the default list of Favorites for your employees. If you use this option, you must also add the URLs to the sites.
**Disabled or not configured:** Uses the Favorites list and URLs specified in the Favorites hub. |
+|Configure Home pages |Windows 10, Version 1511 or later |This policy setting lets you configure one or more Home pages. for domain-joined devices. Your employees won't be able to change this after you set it.
If you enable this setting, you can configure one or more Home pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format:
``If you disable or don’t configure this setting, your default Home page is the webpage specified in App settings. |**Enabled:** Configure your Home pages. If you use this option, you must also include site URLs.
**Disabled or not configured (default):** Uses the Home pages and URLs specified in the App settings. |
+|Configure Password Manager |Windows 10 or later |This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.
If you enable this setting, employees can use Password Manager to save their passwords locally.
If you disable this setting, employees can’t use Password Manager to save their passwords locally.
If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally. |**Not configured:** Employees can choose whether to use Password Manager.
**Enabled (default):** Employees can use Password Manager to save passwords locally.
**Disabled:** Employees can't use Password Manager to save passwords locally. |
+|Configure Pop-up Blocker |Windows 10 or later |This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.
If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear.
If you don’t configure this setting, employees can choose whether to use Pop-up Blocker. |**Enabled or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows.
**Disabled:** Turns off Pop-up Blocker, allowing pop-up windows. |
+|Configure search suggestions in Address bar |Windows 10 or later |This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge.
If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.
If you don’t configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. |**Not configured (default):** Employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
**Enabled:** Employees can see search suggestions in the Address bar of Microsoft Edge.
**Disabled:** Employees can’t see search suggestions in the Address bar of Microsoft Edge. |
+|Configure SmartScreen Filter |Windows 10 or later |This policy setting lets you configure whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, SmartScreen Filter is turned on.
If you enable this setting, SmartScreen Filter is turned on and employees can’t turn it off.
If you disable this setting, SmartScreen Filter is turned off and employees can’t turn it on.
If you don’t configure this setting, employees can choose whether to use SmartScreen Filter. |**Not configured (default):** Employees can choose whether to use SmartScreen Filter.
**Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.
**Disabled:** Turns off SmartScreen Filter. |
+|Configure the Enterprise Mode Site List |Windows 10 or later| This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.
If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.
If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. |**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured.
If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11.
**Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List. |
+|Prevent access to the about:flags page |Windows 10 Insider Preview |This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
If you enable this policy setting, employees can’t access the about:flags page.
If you disable or don’t configure this setting, employees can access the about:flags page. |**Enabled:** Stops employees from using the about:flags page.
**Disabled or not configured (default):** Lets employees use the about:flags page. |
+|Prevent bypassing SmartScreen prompts for files |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files.
If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from downloading the unverified files.
If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue the download process. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about unverified files.
**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about unverified files and lets them continue the download process. |
+|Prevent bypassing SmartScreen prompts for sites |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites.
If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from continuing to the site.
If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue to the site. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about potentially malicious sites.
**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about potentially malicious sites and continue to the site. |
+|Prevent using Localhost IP address for WebRTC |Windows 10, Version 1511 or later |This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off.
If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol.
If you disable or don’t configure this setting, Localhost IP addresses are shown while making calls using the WebRTC protocol. |**Enabled:** Hides the Localhost IP address during calls using the WebRTC protocol.
**Disabled or not configured (default):** Shows the Localhost IP address during phone calls using the WebRTC protocol. |
+|Send all intranet sites to Internet Explorer 11 |Windows 10 or later |This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.
If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11.
If you disable or don’t configure this setting, all websites, including intranet sites, are automatically opened using Microsoft Edge. |**Enabled:** Automatically opens all intranet sites using Internet Explorer 11.
**Disabled or not configured (default):** Automatically opens all websites, including intranet sites, using Microsoft Edge. |
+|Show message when opening sites in Internet Explorer |Windows 10 Insider Preview |This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears. |**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
**Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. |
## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
-
-
If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( http://go.microsoft.com/fwlink/p/?LinkId=722885) page.
**Note**
The **Supports** column uses these options:
@@ -63,43 +61,46 @@ If you manage your policies using Intune, you'll want to use these MDM policy se
All devices must be enrolled with Intune if you want to use the Windows Custom URI Policy.
-| Policy name | Supports | Details |
-| -------------------------------------------- | --------------------| ------------------------------------------------------- |
-| AllowAutofill | Desktop |
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use Autofill to complete form fields.
- **1 (default).** Employees can use Autofill to complete form fields.
|
-| AllowBrowser | Mobile | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowBrowser
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use Microsoft Edge.
- **1 (default).** Employees can use Microsoft Edge.
|
-| AllowCookies | Both | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies
- **Data type.** Integer
- **Allowed values:**
- **0.** Block all cookies from all sites.
- **1.** Block only 3rd party cookies.
- **2 (default).** Don't block. Allow all cookies from all sites.
|
-| AllowDeveloperTools | Desktop | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can't use the F12 Developer Tools on Microsoft Edge.
- **1 (default).** Employees can use the F12 Developer Tools on Microsoft Edge.
|
-| AllowDoNotTrack | Both | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Stops employees from sending Do Not Track headers to websites requesting tracking info.
- **1.** Employees can send Do Not Track headers to websites requesting tracking info.
|
-| AllowPasswordManager | Both | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can use Password Manager to save passwords locally.
- **1 (default).** Employees can't use Password Manager to save passwords locally.
-| AllowPopups | Desktop | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Turns off Pop-up Blocker, stopping pop-up windows
- **1.** Turns on Pop-up Blocker, allowing pop-up windows.
|
-| AllowSearchSuggestions
inAddressBar | Both | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestions
inAddressBar - **Data type.** Integer
- **Allowed values:**
- **0.** Employees can see search suggestions in the **Address** bar of Microsoft Edge.
- **1 (default).** Employees can’t see search suggestions in the **Address** bar of Microsoft Edge.
|
-| AllowSmartScreen | Both | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
- **Data type.** Integer
- **Allowed values:**
- **0.** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.
- **1 (default).** Turns off SmartScreen Filter.
|
-| EnterpriseModeSiteList | Desktop | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList
- **Data type.** Integer
- **Allowed values:**
- **Not configured (default).**
- **1.** Use Enterprise Mode site list, if configured.
- **2.** Specify the location to the site list.
|
-| Favorites | Both | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/Favorites
- **Data type.** String
- **Allowed values:**
- URLs to favorite webpages.
**Example:**
``````
``````**Note** URLs must be on separate lines.
|
-| FirstRunURL | Mobile | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/FirstRunURL
- **Data type.** String
- **Allowed values:**
- URL to first run webpage.
**Example:**
``````
|
-| HomePages | Desktop | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/HomePages
- **Data type.** String
- **Allowed values:**
- URLs to home pages.
**Example:**
``````
|
-| PreventSmartScreen
PromptOverride | Both | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreen
PromptOverride - **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can ignore SmartScreen warnings.
- **1.** Employees can't override SmartScreen warnings.
|
-| PreventSmartScreen
PromptOverrideForFiles | Both | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreen
PromptOverrideForFiles - **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can ignore SmartScreen warnings for files.
- **1.** Employees can't override SmartScreen warnings for files.
|
-| PreventUsingLocalHost
IPAddressforWebRTC | Desktop | - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocal
HostIPAddressForWebRTC - **Data type.** Integer
- **Allowed values:**
- **0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.
- **1.** Hides an employee's LocalHost IP address while using the WebRTC protocol.
|
+| Policy name |Supported versions |Supported device |Details |
+|-------------|-------------------|-----------------|--------|
+|AllowAutofill|Windows 10 or later |Desktop |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use Autofill to complete form fields.
- **1 (default).** Employees can use Autofill to complete form fields.
+|AllowBrowser |Windows 10 or later |Mobile |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowBrowser
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use Microsoft Edge.
- **1 (default).** Employees can use Microsoft Edge.
|
+|AllowDeveloperTools |Windows 10, Version 1511 or later |Desktop |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools
- **Data type:** Integer
- **Allowed values:**
- **0.** Employees can't use the F12 Developer Tools
- **1 (default).** Employees can use the F12 Developer Tools
|
+|AllowDoNotTrack |Windows 10 or later |Both |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Stops employees from sending Do Not Track headers to websites requesting tracking info.
- **1.** Employees can send Do Not Track headers to websites requesting tracking info.
|
+|AllowExtensions |Windows 10 Insider Preview |Desktop |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use Edge Extensions.
- **1 (default).** Employees can use Edge Extensions.
|
+|AllowInPrivate |Windows 10, Version 1511 or later |Both |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use InPrivate browsing.
- **1 (default).** Employees can use InPrivate browsing.
|
+|AllowPasswordManager |Windows 10 or later |Both |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can't use Password Manager to save passwords locally.
- **1.** Employees can use Password Manager to save passwords locally.
|
+|AllowPopups |Windows 10 or later |Desktop |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Turns off Pop-up Blocker, allowing pop-up windows.
- **1.** Turns on Pop-up Blocker, stopping pop-up windows.
|
+|AllowSearchSuggestions
inAddressBar |Windows 10 or later |Both |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar/
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.
- **1.** Employees can see search suggestions in the Address bar of Microsoft Edge.
|
+|AllowSmartScreen |Windows 10 or later |Both |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Turns off SmartScreen Filter.
- **1.** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.
|
+|Cookies |Windows 10 or later |Both |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/Cookies
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Allows all cookies from all sites.
- **1.** Blocks only cookies from 3rd party websites
- **2.** Blocks all cookies from all sites.
|
+|EnterpriseModeSiteList |Windows 10 or later |Desktop |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList
- **Data type.** String
- **Allowed values:**
- Not configured.
- **1 (default).** Use the Enterprise Mode Site List, if configured.
- **2.** Specify the location to the site list.
|
+|Favorites |Windows 10, Version 1511 or later |Both |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/Favorites
- **Data type.** String
- **Allowed values:** |
+|FirstRunURL |Windows 10, Version 1511 or later |Mobile |
- **URI full path.** ./Vendor/MSFT/Policy/Config/ Browser/FirstRunURL
- **Data type.** String
- **Allowed values:**
- Configure the first run URL for your employees.
**Example:**
``
|
+|HomePages |Windows 10, Version 1511 or later |Desktop |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/HomePages
- **Data type.** String
- **Allowed values:**
- Configure the Home page URLs for your employees.
**Example:**
``
|
+|PreventAccessToAbout
FlagsInMicrosoftEdge |Windows 10 Insider Preview |Desktop |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can access the about:flags page in Microsoft Edge.
- **1.** Employees can't access the about:flags page in Microsoft Edge.
|
+|PreventSmartScreen
PromptOverride |Windows 10, Version 1511 or later |Both |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can ignore SmartScreen warnings.
- **1.** Employees can't ignore SmartScreen warnings.
|
+|PreventSmartScreen
PromptOverrideForFiles |Windows 10, Version 1511 or later |Both |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can ignore SmartScreen warnings for files.
- **1.** Employees can't ignore SmartScreen warnings for files.
|
+|PreventUsingLocalHostIP
AddressForWebRTC |Windows 10, Version 1511 or later |Desktop |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.
- **1.** Doesn't show an employee's LocalHost IP address while using the WebRTC protocol.
|
+|SendIntranetTraffic
toInternetExplorer |Windows 10 or later |Both |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer/
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Automatically opens all websites, including intranet sites, using Microsoft Edge.
- **1.** Automatically opens all intranet sites using Internet Explorer 11.
|
+|ShowMessageWhenOpening
InteretExplorerSites |Windows 10 Insider Preview |Desktop |- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
- **1.** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
|
+## Microsoft Edge and Windows 10-specific Group Policy settings
+These are additional Windows 10-specific Group Policy settings that work with Microsoft Edge.
-## Microsoft Edge and Windows 10-specific Group Policy and MDM settings
+|Group Policy setting |Description |Options |
+| --------------------|--------------|---------|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Whether employees can use Cortana. |**Enabled or not configured:** Employees can use Cortana on their devices.**Disabled:** Stops employees from using Cortana on their devices.
**Note** Employees can still perform searches even with Cortana turned off. |
+|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync |Whether employees can use the **Sync your Settings** options to sync their settings to and from their device. |**Enabled:** Turns off the **Sync your Settings** options and none of the **Sync your Setting** groups are synced on the device. You can use the **Allow users to turn syncing on** option to turn the feature off by default, but to let the employee change this setting.
**Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting employees pick what can sync on their device. |
+|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings |Whether a browser group can use the **Sync your Settings** options to sync their info to and from their device. This includes settings and info like **History** and Favorites. |**Enabled:** Turns off the **Sync your Settings** options so that browser groups are unable to sync their settings and info. You can use the **Allow users to turn browser syncing on** option to turn the feature off by default, but to let the employee change this setting.
**Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting browser groups pick what can sync on their device. |
-These are additional Windows 10-specific settings that work with Microsoft Edge.
-
-| Group Policy setting | Description | Options |
-| --------------------------------------- | ----------------------------------------- | ------------------------------------------------------- |
-| Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana | Whether employees can use Cortana. | **Enable or not configured:** Employees can use Cortana on their devices.
**Disable:** Stops employees from using Cortana on their devices.
**Note** Employees can still perform searches even with Cortana turned off. |
-| Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync | Whether employees can use the **Sync your Settings** options to sync their settings to and from their device. | **Enable:** Turns off the **Sync your Settings** options and none of the **Sync your Setting** groups are synced on the device. You can use the **Allow users to turn syncing on** option to turn the feature off by default, but to let the employee change this setting.
**Disable or not configured (default):** Turns on the **Sync your Settings** area by default, letting employees pick what can sync on their device. |
-| Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings | Whether a browser group can use the **Sync your Settings** options to sync their info to and from their device. This includes settings and info like **History** and **Favorites**. | **Enable:** Turns off the **Sync your Settings** options so that browser groups are unable to sync their settings and info. You can use the **Allow users to turn browser syncing on** option to turn the feature off by default, but to let the employee change this setting.
**Disable or not configured (default):** Turns on the **Sync your Settings** area by default, letting browser groups pick what can sync on their device. |
-
-## Additional Windows 10-specific MDM policy settings
+## Microsoft Edge and Windows 10-specific MDM policy settings
These are additional Windows 10-specific MDM policy settings that work with Microsoft Edge.
-| MDM Policy name | Supports | Details |
-| ---------------------------------------| ------------------- | ------------------------------------------------------------------------------ |
-| AllowCortana | Both |
- **URI full path.** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use Cortana on their devices.
- **1 (default).** Employees can use Cortana on their devices.
|
-| AllowSyncMySettings | Desktop | - **URI full path.** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t sync settings between PCs.
- **1 (default).** Employees can sync between PCs.
|
+|MDM Policy name |Supports |Details |
+|----------------|--------------|------------------- |
+|AllowCortana |Both | - **URI full path.** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t use Cortana on their devices.
- **1 (default).** Employees can use Cortana on their devices.
|
+|AllowSyncMySettings |Desktop |- **URI full path.** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings
- **Data type.** Integer
- **Allowed values:**
- **0.** Employees can’t sync settings between PCs.
- **1 (default).** Employees can sync between PCs.
|
## Related topics
* [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=214514)
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
new file mode 100644
index 0000000000..1a79a97be1
--- /dev/null
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -0,0 +1,16 @@
+---
+title: Change history for Microsoft Edge (Microsoft Edge for IT Pros)
+description: This topic lists new and updated topics in the Microsoft Edge documentation for Windows 10 and Windows 10 Mobile.
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+---
+
+# Change history for Microsoft Edge
+This topic lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile.
+
+## May 2016
+
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Available Policies for Microsoft Edge](available-policies.md) | Added new policies and the Supported versions column for Windows 10 Insider Preview. |
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
new file mode 100644
index 0000000000..cd0ed579af
--- /dev/null
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -0,0 +1,16 @@
+---
+title: Change history for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+description: This topic lists new and updated topics in the Internet Explorer 11 documentation for Windows 10 and Windows 10 Mobile.
+ms.prod: IE11
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# Change history for Internet Explorer 11
+This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
+
+## May 2016
+
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode schema v.1 guidance for Windows 7 and Windows 8.1 Update devices](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 72353b0be5..69bf767c22 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -168,6 +168,23 @@ Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.c
+### Using Enterprise Mode and document mode together
+If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain.
+
+For example, say you want all of the sites in the contoso.com domain to open using IE8 Enterprise Mode, except test.contoso.com, which needs to open in document mode 11. Because Enterprise Mode takes precedence over document mode, if you want test.contoso.com to open using document mode, you'll need to explicitly add it as an exclusion to the <emie> parent node.
+
+```xml
+
+
+ contoso.com
+ test.contoso.com
+
+
+ test.contoso.com
+
+
+```
+
### What not to include in your schema
We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways:
- Don’t use protocols. For example, `http://`, `https://`, or custom protocols. They break parsing.
@@ -264,6 +281,4 @@ If you want to target specific sites in your organization.
- contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index 89ce6129e1..45f8e7349c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -26,6 +26,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
## In this guide
|Topic |Description |
|------|------------|
+|[Change history for Internet Explorer 11](change-history-for-internet-explorer-11.md) |Lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile. |
|[System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md) |IE11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. |
|[List of updated features and tools - Internet Explorer 11 (IE11)](updated-features-and-tools-with-ie11.md) |IE11 includes several new features and tools. This topic includes high-level info about the each of them. |
|[Install and Deploy Internet Explorer 11 (IE11)](install-and-deploy-ie11.md) |Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 7df4d37ea3..d199472eaa 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -84,9 +84,11 @@ IE opens the app’s website.
**Security Note:**
If you don’t fully trust a site, you shouldn’t allow it to launch an outdated app. However, although we don’t recommend it, you can let the webpage launch the app by tapping or clicking **Allow**. This option opens the app without updating or fixing the problem. The next time you visit a webpage running the same outdated app, you’ll get the notification again.
## How does IE decide which ActiveX controls to block?
-IE uses Microsoft’s versionlist.xml file to determine whether an ActiveX control should be stopped from loading. This file is updated with newly-discovered out-of-date ActiveX controls, which IE automatically downloads to your local copy of the file.
+IE uses Microsoft’s versionlist.xml or versionlistWin7.xml file to determine whether an ActiveX control should be stopped from loading. These files are updated with newly-discovered out-of-date ActiveX controls, which IE automatically downloads to your local copy of the file.
-You can see your copy of the versionlist.xml file here `%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml`, or you can view Microsoft’s version at [Internet Explorer version list](http://go.microsoft.com/fwlink/p/?LinkId=403864).
+You can see your copy of the file here `%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml` or you can view Microsoft’s version, based on your operating system and version of IE, here:
+- [Internet Explorer 11 on Windows 7 SP1 or Windows Server 2008 R2](http://go.microsoft.com/fwlink/p/?LinkId=798230)
+- [All other configurations](https://go.microsoft.com/fwlink/p/?LinkId=403864)
**Security Note:**
Although we strongly recommend against it, if you don’t want your computer to automatically download the updated version list from Microsoft, run the following command from a command prompt:
@@ -171,7 +173,7 @@ Here’s a detailed example and description of what’s included in the VersionA
### Inventory your ActiveX controls by using a local WMI class
For Windows 10 you also have the option to log your inventory info to a local WMI class. Info logged to this class includes all of info you get from the .csv file, plus the CLSID of the loaded ActiveX control or the name of any apps started from an ActiveX control.
-### Before you begin
+#### Before you begin
Before you can use WMI to inventory your ActiveX controls, you need to [download the configuration package (.zip file)](http://go.microsoft.com/fwlink/p/?LinkId=616971), which includes:
- **ConfigureWMILogging.ps1**. A Windows PowerShell script.
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 790e48d372..65f42da6b5 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -25,6 +25,7 @@
#### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)
#### [Monitor your Surface Hub](monitor-surface-hub.md)
#### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
+#### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
#### [Using a room control system](use-room-control-system-with-surface-hub.md)
#### [Windows updates](manage-windows-updates-for-surface-hub.md)
#### [Wireless network management](wireless-network-management-for-surface-hub.md)
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
new file mode 100644
index 0000000000..cc608f499b
--- /dev/null
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -0,0 +1,426 @@
+---
+title: Connect other devices and display with Surface Hub
+description: You can connect other device to your Surface Hub to display content. This topic describes guest mode and replacement PC modes that is available through a wired connection.
+Robots: noindex, nofollow
+ms.assetid: 8BB80FA3-D364-4A90-B72B-65F0F0FC1F0D
+author: TrudyHa
+---
+
+# Connect other devices and display with Surface Hub
+
+
+You can connect other device to your Surface Hub to display content. This topic describes guest mode and replacement PC modes that is available through a wired connection.
+
+## Guest mode
+
+
+Guest mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and displays them on the Surface Hub. If Surface Hub encounters an HDCP signal, the source will be re-routed through an alternate path, allowing the source to be displayed full-screen without violating HDCP requirements.
+
+### Ports
+
+Use these ports on the Surface Hub for the guest mode.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Display Port 1.1a |
+Video input |
+Guest input #1 |
+
+Support simultaneous guest input display with guest input #2 and guest input #3 (one full resolution, two thumbnail). HDCP compliant in bypass mode Touchback enabled |
+
+
+HDMI 1.4 |
+Video input |
+Guest input #2 |
+
+Support simultaneous guest input display with guest input #1 and guest input #3 (one full resolution, two thumbnail). HDCP compliant in bypass mode Touchback enabled |
+
+
+VGA |
+Video input |
+Guest input #3 |
+
+Support simultaneous guest input display with guest input #1 and guest input #2 (one full resolution, two thumbnail). HDCP compliant in bypass mode Touchback enabled |
+
+
+3.5 mm jack |
+Audio input |
+Analog audio input |
+ |
+
+
+USB 2.0, type B |
+USB out |
+Touchback |
+ |
+
+
+
+
+
+
+### Port locations
+
+These are the port connections used for guest mode on the 55" and 84" Surface Hubs.
+
+
+
+Wired port connections on 55" Surface Hub
+
+
+
+Wired port connections on 84" Surface Hub
+
+### Port enumeration
+
+When a Surface hub is connected to guest computer with the wired connect USB port, a number of USB devices are discovered and configured. These peripheral devices are created for touchback and inkback. The peripheral devices can viewed in Device Manager. Device Manager will show duplicate names for some devices.
+
+**Human interface devices**
+
+- HID-compliant consumer control device
+
+- HID-compliant pen
+
+- HID-compliant pen (duplicate item)
+
+- HID-compliant pen (duplicate item)
+
+- HID-compliant touch screen
+
+- USB Input Device
+
+- USB Input Device (duplicate item)
+
+**Keyboards**
+
+- Standard PS/2 keyboard
+
+**Mice and other pointing devices**
+
+- HID-compliant mouse
+
+**Universal serial bus conntrollers**
+
+- Generic USB hub
+
+- USB composite device
+
+### Guest mode connectivity
+
+Your choice of video cable will be determined by what is available from your source input. The Surface Hub has three choices of video input, DisplayPort, HDMI and VGA. Please refer to the below chart for available resolutions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+PC |
+640 x 480 |
+59.94/60 |
+X |
+X |
+X |
+
+
+PC |
+720 x 480 |
+59.94/60 |
+X |
+X |
+ |
+
+
+PC |
+1024 x 768 |
+60 |
+X |
+X |
+X |
+
+
+HDTV |
+720p |
+59.94/60 |
+X |
+X |
+X |
+
+
+HDTV |
+1080p |
+59.94/60 |
+X |
+X |
+X |
+
+
+
+
+
+
+Source audio is provided by DisplayPort and HDMI cables. If you must use VGA, Surface Hub has an audio input port that uses a 3.5 mm plug. Surface Hub also uses a USB cable that provides touch and inkback from the Surface Hub to compatible Windows 10 devices. The USB cable can be used with any video input that is already connected with a cable.
+
+Someone using guest mode to connect a PC would use one of these options:
+
+**DisplayPort** -- DisplayPort cable and USB 2.0 cable
+
+**HDMI** -- HDMI cable and USB 2.0 cable
+
+**VGA** -- VGA cable, 3.5 mm audio cable, and USB 2.0 cable
+
+If the computer you are using for guest mode is not compatible with Touch and Inkback, then you won't need the USB cable.
+
+## Replacement PC mode
+
+
+In replacement PC mode, the embedded computer of the Surface Hub is turned off and an external PC is connected to the Surface Hub. Connections to replacement PC ports give access to key peripherals on the Surface Hub, including the screen, pen, and touch features. This does mean that your Surface Hub won’t have the benefit of the Windows Team experience, but you will have the flexibility offered by providing and managing your own Windows computer.
+
+### Software requirements
+
+You can run Surface Hub in replacement PC mode with 64-bit versions of Windows 10 Home, Windows 10 Pro and Windows 10 Enterprise. You can download the [Surface Hub Replacement PC driver package](https://www.microsoft.com/en-us/download/details.aspx?id=52210) from the Microsoft download center. We recommend that you install these drivers on any computer you plan to use as a replacement PC.
+
+### Hardware requirements
+
+Surface Hub is compatible with a range of hardware. Choose the processor and memory confirmation for your replacement PC so that it supports the programs you'll be using. Your replacement PC hardware needs to support 64-bit versions of Windows 10.
+
+### Graphics adapter
+
+In replacement PC mode, Surface Hub supports any graphics adapter that can produce a DisplayPort signal. You'll improve your experience with a graphics adapter that can match Surface Hub's resolution and refresh rate. For example, though the best and recommended replacement PC experience on the Surface Hub is with a 120Hz video signal, 60Hz video signals are also supported.
+
+**55" Surface Hubs** - For best experience, use a graphics card capable of 1080p resolution at 120Hz.
+
+**84" Surface Hubs** - For best experience, use a graphics card capable of outputting four DisplayPort 1.2 streams to produce 2160p at 120Hz (3840 x 2160 at 120Hz vertical refresh). We've verified that this works with the NVIDIA Quadro K2200, NVIDIA Quadro K4200, and NVIDIA Quadro M6000. These are not the only graphics cards - others are available from other vendors.
+
+Check directly with graphics card vendors for the latest drivers.
+
+
+
+
+
+
+
+
+
+
+
+NVIDIA |
+[http://nvidia.com/Download/index.aspx](http://nvidia.com/Download/index.aspx) |
+
+
+AMD |
+[http://support.amd.com/download](http://support.amd.com/download) |
+
+
+Intel |
+[https://downloadcenter.intel.com/](https://downloadcenter.intel.com/) |
+
+
+
+
+
+
+### Ports
+
+Replacement PC ports on 55" Surface Hub.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+PC video |
+Video input |
+DisplayPort 1.2 |
+ |
+
+
+Internal peripherals |
+USB output |
+USB 2.0 type B |
+
+Touch Pen Speakers Microphone Cameras NFC sensor Ambient light sensor Passive infrared sensor |
+
+
+USB hub |
+USB output |
+USB 2.0 type B |
+ |
+
+
+
+
+
+
+Replacement PC ports on 84" Surface Hub.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+PC video |
+Video input |
+DisplayPort 1.2 (2x) |
+ |
+
+
+Internal peripherals |
+USB output |
+USB 2.0 type B |
+
+Touch Pen Speakers Microphone Cameras NFC sensor Ambient light sensor Passive infrared sensor |
+
+
+USB hub |
+USB output |
+USB 2.0 type B |
+ |
+
+
+
+
+
+
+### Replacement PC setup instructions
+
+**To use replacement PC mode**
+
+1. Download and install the [Surface Hub Replacement PC driver package](https://www.microsoft.com/en-us/download/details.aspx?id=52210) on the replacement PC.
+
+ **Note** We recommend that you set sleep or hibernation on the replacement PC so the Surface Hub will turn off the display when it isn't being used.
+
+
+
+2. Turn off the Surface Hub using the power switch next to the power cable.
+
+3. Connect the cables from the Surface Hub's replacement PC ports to the replacement PC. These ports are usually covered by a removable plastic cover.
+
+ 55" Surface Hub -- connect one DisplayPort cable, and two USB cables.
+
+ 84" Surface Hub -- connect two DisplayPort cables, and two USB cables.
+
+4. Toggle the Mode switch to **Replacement PC**. The Mode switch is next to the Replacement PC ports.
+
+5. Turn on the Surface Hub using the power switch next to the power cable.
+
+6. Press the power button on the right side of the Surface Hub.
+
+You can switch the Surface Hub to use the internal PC.
+
+**To switch back to internal PC**
+
+1. Turn off the Surface Hub using the power switch next to the power cable.
+
+2. Toggle the Mode switch to Internal PC. The Mode switch is next to the Replacement PC ports.
+
+3. Turn on the Surface Hub using the power switch next to the power cable.
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface-hub/images/sh-55-guest-ports.png b/devices/surface-hub/images/sh-55-guest-ports.png
new file mode 100644
index 0000000000..af42c738f8
Binary files /dev/null and b/devices/surface-hub/images/sh-55-guest-ports.png differ
diff --git a/devices/surface-hub/images/sh-55-rpc-ports.png b/devices/surface-hub/images/sh-55-rpc-ports.png
new file mode 100644
index 0000000000..dfea48ef96
Binary files /dev/null and b/devices/surface-hub/images/sh-55-rpc-ports.png differ
diff --git a/devices/surface-hub/images/sh-84-guest-ports.png b/devices/surface-hub/images/sh-84-guest-ports.png
new file mode 100644
index 0000000000..6c7060154b
Binary files /dev/null and b/devices/surface-hub/images/sh-84-guest-ports.png differ
diff --git a/devices/surface-hub/images/sh-84-rpc-ports.png b/devices/surface-hub/images/sh-84-rpc-ports.png
new file mode 100644
index 0000000000..f3a0a52327
Binary files /dev/null and b/devices/surface-hub/images/sh-84-rpc-ports.png differ
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
new file mode 100644
index 0000000000..663ec20dc4
--- /dev/null
+++ b/devices/surface/TOC.md
@@ -0,0 +1,14 @@
+# [Surface](index.md)
+## [Advanced UEFI security features for Surface](advanced-uefi-security-features-for-surface.md)
+## [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
+## [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
+## [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)
+## [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
+## [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
+## [Surface Data Eraser](microsoft-surface-data-eraser.md)
+## [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
+### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
+## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
+## [Surface Dock Updater](surface-dock-updater.md)
+
diff --git a/devices/surface/advanced-uefi-security-features-for-surface.md b/devices/surface/advanced-uefi-security-features-for-surface.md
new file mode 100644
index 0000000000..e274220bee
--- /dev/null
+++ b/devices/surface/advanced-uefi-security-features-for-surface.md
@@ -0,0 +1,165 @@
+---
+title: Advanced UEFI security features for Surface (Surface)
+description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
+ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93
+keywords: ["Surface, Surface Pro 3, security, features, configure, hardware, device, custom, script, update"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Advanced UEFI security features for Surface
+
+
+This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
+
+To address more granular control over the security of Surface devices, the v3.11.760.0 UEFI update provides additional security options that allow you to disable specific hardware devices or to prevent starting from those devices. After the UEFI update is installed on a device, you can configure it manually or automatically by running a script.
+
+## Manually install the UEFI update
+
+
+Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically using Windows Update, see [How to configure and use Automatic Updates in Windows]( http://go.microsoft.com/fwlink/p/?LinkID=618030). Otherwise, you can download the UEFI update from the Microsoft Download Center; see [SurfacePro3\_ 150326.msi (105 MB)](http://go.microsoft.com/fwlink/p/?LinkID=618033) or [SurfacePro3\_ 150326.zip (156 MB)](http://go.microsoft.com/fwlink/p/?LinkID=618035).
+
+## Manually configure additional security settings
+
+
+**Note** To enter firmware setup on a Surface device, begin with the device powered off, press and hold the **Volume Up** button, then press and release the **Power** button, then release the **Volume Up** button after the device has begun to boot.
+
+
+
+After the v3.11.760.0 UEFI update is installed on a Surface device, an additional UEFI menu named **Advanced Device Security** becomes available. If you click this menu, the following options are displayed:
+
+| Option | Description | Available settings (default listed in bold) |
+|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|
+| Network Boot | Enables or disables the ability of your Surface device to boot from the network (also known as PXE boot). | **Enabled**, Not Bootable |
+| Side USB | Enables or disables the USB port on the side of the Surface device. Additionally, the USB port can be enabled, but not allow booting. | **Enabled**, Not Bootable, Disabled |
+| Docking Port | Enables or disables the ports on the Surface docking station. Additionally, the docking port can be enabled, but block booting from any USB or Ethernet port in the docking station. | **Enabled**, Not Bootable, Disabled |
+| Front Camera | Enables or disables the camera on the front of the Surface device. | **Enabled**, Disabled |
+| Rear Camera | Enables or disables the camera on the rear of the Surface device. | **Enabled**, Disabled |
+| On Board Audio | Enables or disables audio on the Surface device. | **Enabled**, Disabled |
+| microSD | Enables or disables the microSD slot on the Surface device. | **Enabled**, Disabled |
+| WiFi | Enables or disables the built-in Wi-Fi transceiver in the Surface device. This also disables Bluetooth. | **Enabled**, Disabled |
+| Bluetooth | Enables or disables the built-in Bluetooth transceiver in the Surface device. | **Enabled**, Disabled |
+
+
+
+## Automate additional security settings
+
+
+As an IT professional with administrative privileges, you can automate the configuration of UEFI settings by leveraging [Surface Pro 3 Firmware Tools (476 KB)](http://go.microsoft.com/fwlink/p/?LinkID=618038) available from the Microsoft Download Center. These tools install a .NET assembly that can be called from any custom application or script.
+
+**Prerequisites**
+
+- The sample scripts below leverage the previously mentioned extension and therefore assume that the tool has been installed on the device being managed.
+- The scripts must be run with administrative privilege.
+- The Windows PowerShell command [**Set-ExecutionPolicy Unrestricted**](http://go.microsoft.com/fwlink/p/?LinkID=618039) must be called prior to running sample scripts if they are not digitally signed.
+
+**Sample scripts**
+
+**Note** The UEFI password used in the sample scripts below is presented in clear text. We strongly recommend saving the scripts in a protected location and running them in a controlled environment.
+
+
+
+Show all configurable options:
+
+```
+# Load the extension
+[System.Reflection.Assembly]::Load("SurfaceUefiManager, Version=1.0.5483.22783, Culture=neutral, PublicKeyToken=20606f4b5276c705")
+
+# Get the collection of all configurable settings
+$uefiOptions = [Microsoft.Surface.FirmwareOption]::All()
+
+foreach ($uefiOption in $uefiOptions)
+{
+ Write-Host "Name:" $uefiOption.Name
+ Write-Host " Description =" $uefiOption.Description
+ Write-Host " Current Value =" $uefiOption.CurrentValue
+ Write-Host " Default Value =" $uefiOption.DefaultValue
+ Write-Host " Proposed Value =" $uefiOption.ProposedValue
+
+ # This gives usage and validation information
+ Write-Host " Allowed Values =" $uefiOption.FriendlyRegEx
+ Write-Host " Regular Expression =" $uefiOption.RegEx
+
+ Write-Host
+}
+```
+
+Set or change UEFI password:
+
+```
+# Load the extension
+[System.Reflection.Assembly]::Load("SurfaceUefiManager, Version=1.0.5483.22783, Culture=neutral, PublicKeyToken=20606f4b5276c705")
+
+# Must supply UEFI administrator Password if set
+# If it is not currently set this is ignored
+[Microsoft.Surface.FirmwareOption]::Unlock("1234")
+
+$Password = [Microsoft.Surface.FirmwareOption]::Find("Password")
+
+# Set New value to 12345
+$Password.ProposedValue = "12345"
+```
+
+Check status of proposed changes:
+
+```
+# Load the extension
+[System.Reflection.Assembly]::Load("SurfaceUefiManager, Version=1.0.5483.22783, Culture=neutral, PublicKeyToken=20606f4b5276c705")
+
+# Check update status
+$updateStatus = [Microsoft.Surface.FirmwareOption]::UpdateStatus
+$updateIteration = [Microsoft.Surface.FirmwareOption]::UpdateIteration
+Write-Host "Last Update Status =" $updateStatus
+Write-Host "Last Update Iteration =" $updateIteration
+
+# Get the individual results for the last proposed update
+# If the device has never had an update attempt this will be an empty list
+$details = [Microsoft.Surface.FirmwareOption]::UpdateStatusDetails
+Write-Host $details.Count "Settings were proposed"
+if ($details.Count -gt 0)
+{
+ Write-Host "Result Details"
+ foreach ($detail in $details.GetEnumerator())
+ {
+ Write-Host " " $detail.Key "=" $detail.Value
+ }
+}
+```
+
+Revert UEFI to default values:
+
+```
+# Load the extension
+[System.Reflection.Assembly]::Load("SurfaceUefiManager, Version=1.0.5483.22783, Culture=neutral, PublicKeyToken=20606f4b5276c705")
+
+# Must supply UEFI administrator Password if set
+# If it is not currently set this is ignored
+[Microsoft.Surface.FirmwareOption]::Unlock("1234")
+
+# Get the collection of all configurable settings
+$uefiOptions = [Microsoft.Surface.FirmwareOption]::All()
+
+# Reset all options to the factory default
+foreach ($uefiOption in $uefiOptions)
+{
+ $uefiOption.ProposedValue = $uefiOption.DefaultValue
+}
+```
+
+Status code interpretation
+
+- 00 - The proposed update was a success
+- 02 - One of the proposed values had an invalid value
+- 03 - There was a proposed value set that was not recognized
+- 0F - The unlock password did not match currently set password
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md
new file mode 100644
index 0000000000..73466d6d64
--- /dev/null
+++ b/devices/surface/customize-the-oobe-for-surface-deployments.md
@@ -0,0 +1,70 @@
+---
+title: Customize the OOBE for Surface deployments (Surface)
+description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization.
+ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87
+keywords: ["deploy, customize, automate, deployment, network, Pen, pair, boot"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Customize the OOBE for Surface deployments
+
+
+This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization.
+
+It is common practice in a Windows deployment to customize the user experience for the first startup of deployed computers — the out-of-box experience, or OOBE.
+
+**Note**
+OOBE is also often used to describe the phase, or configuration pass, of Windows setup during which the user experience is displayed. For more information about the OOBE phase of setup, see [How Configuration Passes Work](http://msdn.microsoft.com/library/windows/hardware/dn898581(v=vs.85).aspx).
+
+
+
+In some scenarios, you may want to provide complete automation to ensure that at the end of a deployment, computers are ready for use without any interaction from the user. In other scenarios, you may want to leave key elements of the experience for users to perform necessary actions or select between important choices. For administrators deploying to Surface devices, each of these scenarios presents a unique challenge to overcome.
+
+This article provides a summary of the scenarios where a deployment might require additional steps. It also provides the required information to ensure that the desired experience is achieved on any newly deployed Surface device. This article is intended for administrators who are familiar with the deployment process, as well as concepts such as answer files and [reference images](http://go.microsoft.com/fwlink/p/?LinkID=618042).
+
+**Note**
+Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the [Microsoft Deployment Toolkit (MDT)](http://go.microsoft.com/fwlink/p/?LinkId=618117) or System Center Configuration Manager Operating System Deployment (OSD), it is automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:
+
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](http://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit)
+
+- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](http://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager)
+
+
+
+## Scenario 1: Wireless networking in OOBE with MDT 2013
+
+
+When a wireless network adapter is present during OOBE, the **Join a wireless network** page is displayed, which prompts a user to connect to a wireless network. This page is not automatically hidden by deployment technologies, including MDT 2013, and therefore will be displayed even when a deployment is configured for complete automation.
+
+To ensure that an automated deployment is not stopped by this page, the page must be hidden by configuring an additional setting in the answer file, **HideWirelessSetupInOOBE**. You can find additional information about the **HideWirelessSetupInOOBE** setting in [Unattended Windows Setup Reference](http://go.microsoft.com/fwlink/p/?LinkID=618044).
+
+## Scenario 2: Surface Pen pairing in OOBE
+
+
+When you first take a Surface Pro 3, Surface Pro 4, or Surface Book out of the package and start it up, the first-run experience of the factory image includes a prompt that asks you to pair the included Surface Pen to the device. This prompt is only provided by the factory image that ships with the device and is not included in other images used for deployment, such as the Windows Enterprise installation media downloaded from the Volume Licensing Service Center. Because pairing the Bluetooth Surface Pen outside of this experience requires that you enter the Control Panel or PC Settings and manually pair a Bluetooth device, you may want to have users or a technician use this prompt to perform the pairing operation.
+
+To provide the factory Surface Pen pairing experience in OOBE, you must copy four files from the factory Surface image into the reference image. You can copy these files into the reference environment before you capture the reference image, or you can add them later by using Deployment Image Servicing and Management (DISM) to mount the image. The four required files are:
+
+- %windir%\\system32\\oobe\\info\\default\\1033\\oobe.xml
+- %windir%\\system32\\oobe\\info\\default\\1033\\PenPairing\_en-US.png
+- %windir%\\system32\\oobe\\info\\default\\1033\\PenError\_en-US.png
+- %windir%\\system32\\oobe\\info\\default\\1033\\PenSuccess\_en-US.png
+
+**Note**
+You should copy the files from a factory image for the same model Surface device that you intend to deploy to. For example, you should use the files from a Surface Pro 3 to deploy to Surface Pro 3, and the files from Surface Book to deploy Surface Book, but you should not use the files from a Surface Pro 3 to deploy Surface Book or Surface Pro 4.
+
+
+
+The step-by-step process for adding these required files to an image is described in [Deploying Surface Pro 3 Pen and OneNote Tips](http://go.microsoft.com/fwlink/p/?LinkID=618045). This blog post also includes tips to ensure that the necessary updates for the Surface Pen Quick Note-Taking Experience are installed, which allows users to send notes to OneNote with a single click.
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
new file mode 100644
index 0000000000..d5de7a0bb0
--- /dev/null
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -0,0 +1,197 @@
+---
+title: Download the latest firmware and drivers for Surface devices (Surface)
+description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
+ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
+keywords: ["update Surface, newest, latest, download, firmware, driver, tablet, hardware, device"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Download the latest firmware and drivers for Surface devices
+
+
+This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
+
+As easy as it is to keep Surface device drivers and firmware up to date automatically with Windows Update, it is sometimes necessary to download and install updates manually, such as during a Windows deployment. For any situation where you need to install drivers and firmware separately from Windows Update, you can find the files available for download at the Microsoft Download Center.
+
+On the Microsoft Download Center page for your device, you will find several files available. These files allow you to deploy drivers and firmware in various ways. You can read more about the different deployment methods for Surface drivers and firmware in [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md).
+
+Driver and firmware updates for Surface devices are released in one of two ways:
+
+- **Point updates** are released for specific drivers or firmware revisions and provide the latest update for a specific component of the Surface device.
+
+- **Cumulative updates** provide comprehensive roundups of all of the latest files for the Surface device running that version of Windows.
+
+Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices and are detailed here in this article.
+
+**Note**
+To simplify the process of locating drivers for your device, downloads for Surface devices have been reorganized to separate pages for each model. Bookmark the Microsoft Download Center page for your device from the links provided on this page. Many of the filenames contain a placeholder denoted with *xxxxxx*, which identifies the current version number or date of the file.
+
+
+
+Recent additions to the downloads for Surface devices provide you with options to install Windows 10 on your Surface devices and update LTE devices with the latest Windows 10 drivers and firmware.
+
+**Note** A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](http://go.microsoft.com/fwlink/p/?LinkId=618106) for more information.
+
+
+
+## Surface Book
+
+
+Download the following updates [for Surface Book from the Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=691691).
+
+- SurfaceBook\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+
+- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
+
+## Surface Pro 4
+
+
+Download the following updates for [Surface Pro 4 from the Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=691692).
+
+- SurfacePro4\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+
+- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
+
+## Surface Pro 3
+
+
+Download the following updates [for Surface Pro 3 from the Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=690288).
+
+- SurfacePro3\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
+
+- SurfacePro3\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
+
+- SurfacePro3\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
+
+- SurfacePro3\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
+
+- Surface Firmware Tool.msi – Firmware tools for UEFI management
+
+- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Surface Pro 3 AssetTag.zip – UEFI Asset Tag management tool
+
+- Surface Pro 3 Driver Set.ppkg – Deployment Asset Provisioning Package for Windows 10
+
+- Surface Pro 3 KB2978002.zip – Update for Quick Note-Taking Experience feature in Windows 8.1
+
+- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
+
+## Surface 3
+
+
+Download the following updates [for Surface 3 from the Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=690289).
+
+- Surface3\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
+
+- Surface3\_Win8x\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro
+
+- Surface3\_Win8x\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
+
+- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
+
+## Surface 3 LTE
+
+
+Download the following updates [for AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=690290).
+
+- Surface3\_US1\_Win10\_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
+
+- Surface3\_US1\_Win10\_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
+
+- Surface3\_US1\_Win8x\_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
+
+- Surface3\_US1\_Win8x\_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro
+
+- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
+
+Download the following updates [for non-AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=690291).
+
+- Surface3\_NAG\_Win10\_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
+
+- Surface3\_NAG\_Win10\_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
+
+- Surface3\_NAG\_Win8x\_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
+
+- Surface3\_NAG\_Win8x\_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro
+
+- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
+
+Download the following updates [for 4G LTE Surface 3 versions for regions outside North America from the Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=690292).
+
+- Surface3\_ROW\_Win10\_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
+
+- Surface3\_ROW\_Win10\_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
+
+- Surface3\_ROW\_Win8x\_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
+
+- Surface3\_ROW\_Win8x\_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro
+
+- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
+
+## Surface Pro 2
+
+
+Download the following updates [for Surface Pro 2 from the Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=690293).
+
+- SurfacePro2\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
+
+- SurfacePro2\_Win8x\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
+
+- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1
+
+## Surface Pro
+
+
+Download the following updates [for Surface Pro from the Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=690294).
+
+- SurfacePro\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
+
+- Surface Pro 1 - xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro
+
+- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers
+
+- Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1
+
+## Surface RT
+
+
+There are no downloadable firmware or driver updates available for Surface RT. Updates can only be applied using Windows Update.
+
+If you have additional questions on the driver pack and updates, please contact [Microsoft Surface support for business](http://go.microsoft.com/fwlink/p/?LinkId=618107).
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
new file mode 100644
index 0000000000..6a6c9f753c
--- /dev/null
+++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
@@ -0,0 +1,89 @@
+---
+title: Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices (Surface)
+description: Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.
+ms.assetid: A281EFA3-1552-467D-8A21-EB151E58856D
+keywords: ["network", "wireless", "device", "deploy", "authenticaion", "protocol"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices
+
+
+Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.
+
+If you use PEAP, EAP-FAST, or Cisco LEAP in your enterprise network, you probably already know that these three wireless authentication protocols are not supported by Surface devices out of the box. Some users may discover this when they attempt to connect to your wireless network; others may discover it when they are unable to gain access to resources inside the network, like file shares and internal sites. For more information, see [Extensible Authentication Protocol](http://go.microsoft.com/fwlink/p/?LinkId=716899).
+
+You can add support for each protocol by executing a small MSI package from a USB stick or from a file share. For organizations that want to enable EAP support on their Surface devices, the MSI package format supports deployment with many management and deployment tools, like the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager.
+
+## Download PEAP, EAP-FAST, or Cisco LEAP installation files
+
+
+You can download the MSI installation files for PEAP, EAP-FAST, or Cisco LEAP in a single zip archive file from the Microsoft Download Center. To download this file, go to the [Surface Tools for IT](http://go.microsoft.com/fwlink/p/?LinkId=618121) page on the Microsoft Download Center, click **Download**, and then select the **Cisco EAP-Supplicant Installer.zip** file.
+
+## Deploy PEAP, EAP-FAST, or Cisco LEAP with MDT
+
+
+If you are already performing a Windows deployment to Surface devices in your organization, it is quick and easy to add the installation files for each protocol to your deployment share and configure automatic installation during deployment. You can even configure a task sequence that updates previously deployed Surface devices to provide support for these protocols using the same process.
+
+To enable support for PEAP, EAP-FAST, or Cisco LEAP on newly deployed Surface devices, follow these steps:
+
+1. Download and extract the installation files for each protocol to separate folders in an easily accessible location.
+
+2. Open the MDT Deployment Workbench and expand your deployment share to the **Applications** folder.
+
+3. Select **New Application** from the **Action** pane.
+
+4. Choose **Application with source files** to copy the MSI files into the Deployment Share.
+
+5. Select the folder you created in step 1 for the desired protocol.
+
+6. Name the folder in the deployment share where the installation files will be stored.
+
+7. Specify the command line to deploy the application:
+
+ - For PEAP use **EAP-PEAP.msi /qn /norestart**.
+
+ - For LEAP use **EAP-LEAP.msi /qn /norestart**.
+
+ - For EAP-FAST use **EAP-FAST.msi /qn /norestart**.
+
+8. Use the default options to complete the New Application Wizard.
+
+9. Repeat steps 3 through 8 for each desired protocol.
+
+After you’ve performed these steps to import the three MSI packages as applications into MDT, they will be available for selection in the Applications page of the Windows Deployment Wizard. Although in some simple deployment scenarios it might be sufficient to have technicians select each package at the time of deployment, it is not recommended. This practice introduces the possibility that a technician could attempt to apply these packages to computers other than Surface devices, or that a Surface device could be deployed without EAP support due to human error.
+
+To hide these applications from the Install Applications page, select the **Hide this application in the Deployment Wizard** checkbox in the properties of each application. After the applications are hidden, they will not be displayed as optional applications during deployment. To deploy them in your Surface deployment task sequence, they must be explicitly defined for installation through a separate step in the task sequence.
+
+To specify the protocol(s) explicitly, follow these steps:
+
+1. Open your Surface deployment task sequence properties from the MDT Deployment Workbench.
+
+2. On the **Task Sequence** tab, select the **Install Applications** step under **State Restore**. This is typically found between the pre-application and post-application Windows Update steps.
+
+3. Use the **Add** button to create a new **Install Application** step from the **General** category.
+
+4. Select **Install a single application** in the step **Properties** tab.
+
+5. Select the desired EAP protocol from the list.
+
+6. Repeat steps 2 through 5 for each desired protocol.
+
+## Deploy PEAP, EAP-FAST, or Cisco LEAP with Configuration Manager
+
+
+For organizations that manage Surface devices with Configuration Manager, it is even easier to deploy PEAP, EAP-FAST, or Cisco LEAP support to Surface devices. Simply import each MSI file as an application from the Software Library and configure a deployment to your Surface device collection.
+
+For more information on how to deploy applications with Configuration Manager see [How to Create Applications in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=761079) and [How to Deploy Applications in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=761080).
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
new file mode 100644
index 0000000000..14c36f3fdb
--- /dev/null
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -0,0 +1,91 @@
+---
+title: Ethernet adapters and Surface deployment (Surface)
+description: This article provides guidance and answers to help you perform a network deployment to Surface devices.
+ms.assetid: 5273C59E-6039-4E50-96B3-426BB38A64C0
+keywords: ["ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Ethernet adapters and Surface deployment
+
+
+This article provides guidance and answers to help you perform a network deployment to Surface devices.
+
+Network deployment to Surface devices can pose some unique challenges for system administrators. Due to the lack of a native wired Ethernet adapter, administrators must provide connectivity through a removable Ethernet adapter.
+
+## Select an Ethernet adapter for Surface devices
+
+
+Before you can address the concerns of how you will boot to your deployment environment or how devices will be recognized by your deployment solution, you have to use a wired network adapter.
+
+The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using System Center Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters.
+
+Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](http://go.microsoft.com/fwlink/p/?LinkId=722364) use a chipset that is compatible with the Surface firmware.
+
+The following Ethernet devices are supported for network boot with Surface devices:
+
+- Surface USB to Ethernet adapter
+
+- Surface USB 3.0 Ethernet adapter
+
+- Surface Dock
+
+- Surface 3 Docking Station
+
+- Surface Pro 3 Docking Station
+
+- Docking Station for Surface Pro and Surface Pro 2
+
+Third-party Ethernet adapters are also supported for network deployment, although they do not support PXE boot. To use a third-party Ethernet adapter, you must load the drivers into the deployment boot image and you must launch that boot image from a separate storage device, such as a USB stick.
+
+## Boot Surface devices from the network
+
+
+To boot from the network or a connected USB stick, you must instruct the Surface device to boot from an alternate boot device. You can alter the boot order in the system firmware to prioritize USB boot devices, or you can instruct it to boot from an alternate boot device during the boot up process.
+
+To boot a Surface device from an alternative boot device, follow these steps:
+
+1. Ensure the Surface device is powered off.
+2. Press and hold the **Volume Down** button.
+3. Press and release the **Power** button.
+4. After the system begins to boot from the USB stick or Ethernet adapter, release the **Volume Down** button.
+
+**Note** In addition to an Ethernet adapter, a keyboard must also be connected to the Surface device to enter the preinstallation environment and navigate the deployment wizard.
+
+
+
+To support booting from the network in a Windows Preinstallation Environment (WinPE), such as is used in the Microsoft Deployment Toolkit and Configuration Manager, you must add drivers for the Ethernet adapter to WinPE. You can download the drivers for Surface Ethernet adapters from the Microsoft Download Center page for your specific device. For a list of the available downloads for Surface devices, see [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+
+## Manage MAC addresses with removable Ethernet adapters
+
+
+Another consideration for administrators performing Windows deployment over the network is how you will identify computers when you use the same Ethernet adapter to deploy to more than one computer. A common identifier used by deployment technologies is the Media Access Control (MAC) address that is associated with each Ethernet adapter. However, when you use the same Ethernet adapter to deploy to multiple computers, you cannot use a deployment technology that inspects MAC addresses because there is no way to differentiate the MAC address of the removable adapter when used on the different computers.
+
+The simplest solution to avoid MAC address conflicts is to provide a dedicated removable Ethernet adapter for each Surface device. This can make sense in many scenarios where the Ethernet adapter or the additional functionality of the docking station will be used regularly. However, not all scenarios call for the additional connectivity of a docking station or support for wired networks.
+
+Another potential solution to avoid conflict when adapters are shared is to use the [Microsoft Deployment Toolkit (MDT)](http://go.microsoft.com/fwlink/p/?LinkId=618117) to perform deployment to Surface devices. MDT does not use the MAC address to identify individual computers and thus is not subject to this limitation. However, MDT does use Windows Deployment Services to provide PXE boot functionality, and is subject to the limitations regarding pre-staged clients which is covered later in this section.
+
+When you use a shared adapter for deployment, the solution for affected deployment technologies is to use another means to identify unique systems. For Configuration Manager and WDS, both of which can be affected by this issue, the solution is to use the System Universal Unique Identifier (System UUID) that is embedded in the computer firmware by the computer manufacturer. For Surface devices, you can see this entry in the computer firmware under **Device Information**.
+
+To access the firmware of a Surface device, follow these steps:
+
+1. Ensure the Surface device is powered off.
+2. Press and hold the **Volume Up** button.
+3. Press and release the **Power** button.
+4. After the device begins to boot, release the **Volume Up** button.
+
+When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](http://go.microsoft.com/fwlink/p/?LinkId=618118). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](http://go.microsoft.com/fwlink/p/?LinkId=618119) in **Windows Deployment Server Properties**.
+
+The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](http://go.microsoft.com/fwlink/p/?LinkId=618120) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog.
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/images/data-eraser-3.png b/devices/surface/images/data-eraser-3.png
new file mode 100644
index 0000000000..eed3836aa7
Binary files /dev/null and b/devices/surface/images/data-eraser-3.png differ
diff --git a/devices/surface/images/dataeraser-complete-process.png b/devices/surface/images/dataeraser-complete-process.png
new file mode 100644
index 0000000000..c7d0ee1d09
Binary files /dev/null and b/devices/surface/images/dataeraser-complete-process.png differ
diff --git a/devices/surface/images/dataeraser-start-tool.png b/devices/surface/images/dataeraser-start-tool.png
new file mode 100644
index 0000000000..a727d8a870
Binary files /dev/null and b/devices/surface/images/dataeraser-start-tool.png differ
diff --git a/devices/surface/images/dataeraser-usb-selection.png b/devices/surface/images/dataeraser-usb-selection.png
new file mode 100644
index 0000000000..6c5382c7b0
Binary files /dev/null and b/devices/surface/images/dataeraser-usb-selection.png differ
diff --git a/devices/surface/images/manage-surface-dock-fig1-updateprocess.png b/devices/surface/images/manage-surface-dock-fig1-updateprocess.png
new file mode 100644
index 0000000000..e779fa33ef
Binary files /dev/null and b/devices/surface/images/manage-surface-dock-fig1-updateprocess.png differ
diff --git a/devices/surface/images/sda-fig1-select-steps.png b/devices/surface/images/sda-fig1-select-steps.png
new file mode 100644
index 0000000000..15e6e64edc
Binary files /dev/null and b/devices/surface/images/sda-fig1-select-steps.png differ
diff --git a/devices/surface/images/sda-fig2-specify-local.png b/devices/surface/images/sda-fig2-specify-local.png
new file mode 100644
index 0000000000..24d002bc50
Binary files /dev/null and b/devices/surface/images/sda-fig2-specify-local.png differ
diff --git a/devices/surface/images/sda-fig5-erase.png b/devices/surface/images/sda-fig5-erase.png
new file mode 100644
index 0000000000..cf8abe7dce
Binary files /dev/null and b/devices/surface/images/sda-fig5-erase.png differ
diff --git a/devices/surface/images/sdasteps-fig1.png b/devices/surface/images/sdasteps-fig1.png
new file mode 100644
index 0000000000..2f83597305
Binary files /dev/null and b/devices/surface/images/sdasteps-fig1.png differ
diff --git a/devices/surface/images/sdasteps-fig10-rules.png b/devices/surface/images/sdasteps-fig10-rules.png
new file mode 100644
index 0000000000..581c6f1492
Binary files /dev/null and b/devices/surface/images/sdasteps-fig10-rules.png differ
diff --git a/devices/surface/images/sdasteps-fig11-bootstrap.ini.png b/devices/surface/images/sdasteps-fig11-bootstrap.ini.png
new file mode 100644
index 0000000000..64a4bd9aad
Binary files /dev/null and b/devices/surface/images/sdasteps-fig11-bootstrap.ini.png differ
diff --git a/devices/surface/images/sdasteps-fig12-updatemedia.png b/devices/surface/images/sdasteps-fig12-updatemedia.png
new file mode 100644
index 0000000000..01a677ba02
Binary files /dev/null and b/devices/surface/images/sdasteps-fig12-updatemedia.png differ
diff --git a/devices/surface/images/sdasteps-fig13-taskseq.png b/devices/surface/images/sdasteps-fig13-taskseq.png
new file mode 100644
index 0000000000..1fe51f0b60
Binary files /dev/null and b/devices/surface/images/sdasteps-fig13-taskseq.png differ
diff --git a/devices/surface/images/sdasteps-fig14-credentials.png b/devices/surface/images/sdasteps-fig14-credentials.png
new file mode 100644
index 0000000000..d2944325f4
Binary files /dev/null and b/devices/surface/images/sdasteps-fig14-credentials.png differ
diff --git a/devices/surface/images/sdasteps-fig15-deploy.png b/devices/surface/images/sdasteps-fig15-deploy.png
new file mode 100644
index 0000000000..14cc461225
Binary files /dev/null and b/devices/surface/images/sdasteps-fig15-deploy.png differ
diff --git a/devices/surface/images/sdasteps-fig16-computername.png b/devices/surface/images/sdasteps-fig16-computername.png
new file mode 100644
index 0000000000..1960c5b138
Binary files /dev/null and b/devices/surface/images/sdasteps-fig16-computername.png differ
diff --git a/devices/surface/images/sdasteps-fig17-installprogresswindow.png b/devices/surface/images/sdasteps-fig17-installprogresswindow.png
new file mode 100644
index 0000000000..ab2c456857
Binary files /dev/null and b/devices/surface/images/sdasteps-fig17-installprogresswindow.png differ
diff --git a/devices/surface/images/sdasteps-fig2.png b/devices/surface/images/sdasteps-fig2.png
new file mode 100644
index 0000000000..4edeb35ca3
Binary files /dev/null and b/devices/surface/images/sdasteps-fig2.png differ
diff --git a/devices/surface/images/sdasteps-fig3.png b/devices/surface/images/sdasteps-fig3.png
new file mode 100644
index 0000000000..728ddab514
Binary files /dev/null and b/devices/surface/images/sdasteps-fig3.png differ
diff --git a/devices/surface/images/sdasteps-fig4-select.png b/devices/surface/images/sdasteps-fig4-select.png
new file mode 100644
index 0000000000..48f7d695a2
Binary files /dev/null and b/devices/surface/images/sdasteps-fig4-select.png differ
diff --git a/devices/surface/images/sdasteps-fig5-installwindow.png b/devices/surface/images/sdasteps-fig5-installwindow.png
new file mode 100644
index 0000000000..66f1814146
Binary files /dev/null and b/devices/surface/images/sdasteps-fig5-installwindow.png differ
diff --git a/devices/surface/images/sdasteps-fig6-specify-driver-app-files.png b/devices/surface/images/sdasteps-fig6-specify-driver-app-files.png
new file mode 100644
index 0000000000..7c6750a0c8
Binary files /dev/null and b/devices/surface/images/sdasteps-fig6-specify-driver-app-files.png differ
diff --git a/devices/surface/images/sdasteps-fig7-diskpart.png b/devices/surface/images/sdasteps-fig7-diskpart.png
new file mode 100644
index 0000000000..70b517f3f1
Binary files /dev/null and b/devices/surface/images/sdasteps-fig7-diskpart.png differ
diff --git a/devices/surface/images/sdasteps-fig8-mediafolder.png b/devices/surface/images/sdasteps-fig8-mediafolder.png
new file mode 100644
index 0000000000..f6a862e60f
Binary files /dev/null and b/devices/surface/images/sdasteps-fig8-mediafolder.png differ
diff --git a/devices/surface/images/sdasteps-fig9-location.png b/devices/surface/images/sdasteps-fig9-location.png
new file mode 100644
index 0000000000..c8247de908
Binary files /dev/null and b/devices/surface/images/sdasteps-fig9-location.png differ
diff --git a/devices/surface/images/surfacedockupdater-fig1-uptodate-568pix.png b/devices/surface/images/surfacedockupdater-fig1-uptodate-568pix.png
new file mode 100644
index 0000000000..900ffd9269
Binary files /dev/null and b/devices/surface/images/surfacedockupdater-fig1-uptodate-568pix.png differ
diff --git a/devices/surface/images/surfacedockupdater-fig2a-needsupdating.png b/devices/surface/images/surfacedockupdater-fig2a-needsupdating.png
new file mode 100644
index 0000000000..4c690e0a7f
Binary files /dev/null and b/devices/surface/images/surfacedockupdater-fig2a-needsupdating.png differ
diff --git a/devices/surface/images/surfacedockupdater-fig3-progress.png b/devices/surface/images/surfacedockupdater-fig3-progress.png
new file mode 100644
index 0000000000..aa56e090e9
Binary files /dev/null and b/devices/surface/images/surfacedockupdater-fig3-progress.png differ
diff --git a/devices/surface/images/surfacedockupdater-fig4-disconnect.png b/devices/surface/images/surfacedockupdater-fig4-disconnect.png
new file mode 100644
index 0000000000..4892dce1ba
Binary files /dev/null and b/devices/surface/images/surfacedockupdater-fig4-disconnect.png differ
diff --git a/devices/surface/images/surfacedockupdater-fig5-success.png b/devices/surface/images/surfacedockupdater-fig5-success.png
new file mode 100644
index 0000000000..790ff235e9
Binary files /dev/null and b/devices/surface/images/surfacedockupdater-fig5-success.png differ
diff --git a/devices/surface/images/surfacedockupdater-fig6-countdown.png b/devices/surface/images/surfacedockupdater-fig6-countdown.png
new file mode 100644
index 0000000000..fa208e0e4a
Binary files /dev/null and b/devices/surface/images/surfacedockupdater-fig6-countdown.png differ
diff --git a/devices/surface/images/surfacedockupdater-fig7-error.png b/devices/surface/images/surfacedockupdater-fig7-error.png
new file mode 100644
index 0000000000..c18ef16b4c
Binary files /dev/null and b/devices/surface/images/surfacedockupdater-fig7-error.png differ
diff --git a/devices/surface/images/surfacedockupdater-fig8-737test.png b/devices/surface/images/surfacedockupdater-fig8-737test.png
new file mode 100644
index 0000000000..c101313b96
Binary files /dev/null and b/devices/surface/images/surfacedockupdater-fig8-737test.png differ
diff --git a/devices/surface/index.md b/devices/surface/index.md
new file mode 100644
index 0000000000..fb08705db4
--- /dev/null
+++ b/devices/surface/index.md
@@ -0,0 +1,96 @@
+---
+title: Surface (Surface)
+description: .
+ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Surface
+
+
+## Purpose
+
+
+This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization.
+## In this section
+
+
+
+
+
+
+
+
+
+
+
+
+[Advanced UEFI security features for Surface](advanced-uefi-security-features-for-surface.md) |
+This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices. |
+
+
+[Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) |
+This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization. |
+
+
+[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) |
+This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. |
+
+
+[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) |
+Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
+
+
+[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md) |
+This article provides guidance and answers to help you perform a network deployment to Surface devices. |
+
+
+[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) |
+Read about the different methods you can use to manage the process of Surface Dock firmware updates. |
+
+
+[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) |
+This article describes the available options to manage firmware and driver updates for Surface devices. |
+
+
+[Surface Data Eraser](microsoft-surface-data-eraser.md) |
+Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
+
+
+[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) |
+Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. |
+
+
+[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) |
+Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. |
+
+
+[Surface Dock Updater](surface-dock-updater.md) |
+This article provides a detailed walkthrough of Microsoft Surface Dock Updater. |
+
+
+
+
+
+
+## Related topics
+
+
+[Surface TechCenter](https://technet.microsoft.com/windows/surface)
+
+[Surface for IT pros blog](http://blogs.technet.com/b/surface/)
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md
new file mode 100644
index 0000000000..be1d2e63f1
--- /dev/null
+++ b/devices/surface/manage-surface-dock-firmware-updates.md
@@ -0,0 +1,118 @@
+---
+title: Manage Surface Dock firmware updates (Surface)
+description: Read about the different methods you can use to manage the process of Surface Dock firmware updates.
+ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Manage Surface Dock firmware updates
+
+
+Read about the different methods you can use to manage the process of Surface Dock firmware updates.
+
+The Surface Dock provides external connectivity to Surface devices through a single cable connection that includes Power, Ethernet, Audio, USB 3.0, and DisplayPort. The numerous connections provided by the Surface Dock are enabled by a smart chipset within the Surface Dock device. Like a Surface device’s chipset, the chipset that is built into the Surface Dock is controlled by firmware.
+
+Like the firmware for Surface devices, firmware for Surface Dock is also contained within a downloaded driver that is visible in Device Manager. This driver stages the firmware update files on the Surface device. When a Surface Dock is connected and the driver is loaded, the newer version of the firmware staged by the driver is detected and firmware files are copied to the Surface Dock. The Surface Dock then begins a two-phase process to apply the firmware internally. Each phase requires the Surface Dock to be disconnected from the Surface device before the firmware is applied. The driver copies the firmware into the dock, but only applies it when the user disconnects the Surface device from the Surface Dock. This ensures that there are no disruptions because the firmware is only applied when the user leaves their desk with the device.
+
+**Note**
+You can learn more about the firmware update process for Surface devices and how firmware is updated through driver installation at the following links:
+
+- [How to manage and update your drivers and firmware for Surface](http://go.microsoft.com/fwlink/p/?LinkId=785353) from Microsoft Mechanics
+
+- [Windows Update Makes Surface Better](http://go.microsoft.com/fwlink/p/?LinkId=785354)on the Microsoft Devices Blog
+
+
+
+The Surface Dock firmware update process shown in Figure 1 follows these steps:
+
+1. Drivers for Surface Dock are installed on Surface devices that are connected, or have been previously connected, to a Surface Dock.
+
+2. The drivers for Surface Dock are loaded when a Surface Dock is connected to the Surface device.
+
+3. The firmware version installed in the Surface Dock is compared with the firmware version staged by the Surface Dock driver.
+
+4. If the firmware version on the Surface Dock is older than the firmware version contained in the Surface Dock driver, the main chipset firmware update files are copied from the driver to the Surface Dock.
+
+5. When the Surface Dock is disconnected, the Surface Dock installs the firmware update to the main chipset.
+
+6. When the Surface Dock is connected again, the main chipset firmware is verified against the firmware present in the Surface Dock driver.
+
+7. If the firmware update for the main chipset is installed successfully, the Surface Dock driver copies the firmware update for the DisplayPort.
+
+8. When the Surface Dock is disconnected for a second time, the Surface dock installs the firmware update to the DisplayPort chipset. This process takes up to 3 minutes to apply.
+
+
+
+*1- Driver installation can be performed by Windows Update, manual installation, or automatically downloaded with Microsoft Surface Dock Updater*
+
+*2 - The Surface Dock firmware installation process takes approximately 3 minutes*
+
+Figure 1. The Surface Dock firmware update process
+
+If the firmware installation process is interrupted (for example, if power is disconnected from the Surface Dock during firmware installation), the Surface Dock will automatically revert to the prior firmware without disruption to the user, and the update process will restart the next time the Surface Dock is disconnected. For most users this update process should be entirely transparent.
+
+## Methods for updating Surface Dock firmware
+
+
+There are three methods you can use to update the firmware of the Surface Dock:
+
+- [Automatic installation of drivers with Windows Update](#automatic-installation)
+
+- [Deployment of drivers downloaded from the Microsoft Download Center](#deployment-dlc)
+
+- [Manually update with Microsoft Surface Dock Updater](#manual-updater)
+
+## Automatic installation with Windows Update
+
+
+Windows Update is the method that most users will use. The drivers for the Surface Dock are downloaded automatically from Windows Update and the dock update process is initiated without additional user interaction. The two-phase dock update process described earlier occurs in the background as the user connects and disconnects the Surface Dock during normal use.
+
+**Note**
+The driver version that is displayed in Device Manager may be different from the firmware version that the Surface Dock is using.
+
+
+
+## Deployment of drivers downloaded from the Microsoft Download Center
+
+
+This method is used mostly in environments where Surface device drivers and firmware are managed separately from Windows Update. See [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) for more information about the different methods to manage Surface device driver and firmware updates. Updating the Surface Dock firmware through this method involves downloading and deploying an MSI package to the Surface device that contains the updated Surface Dock drivers and firmware. This is the same method recommended for updating all other Surface drivers and firmware. The two-phase firmware update process occurs in the background each time the Surface Dock is disconnected, just like it does with the Windows Update method.
+
+For more information about how to deploy MSI packages see [Create and deploy an application with System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=785355).
+
+**Note**
+When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in:
+
+**HLKM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters**
+
+Firmware status is displayed for both the main chipset (displayed as **Component10**) and the DisplayPort chipset (displayed as **Component20**). For each chipset there are four keys, where *xx* is **10** or **20** corresponding to each chipset:
+
+- **Component*xx*CurrentFwVersion** – This key displays the version of firmware that is installed on the currently connected or most recently connected Surface Dock.
+
+- **Component*xx*OfferFwVersion** – This key displays the version of firmware staged by the Surface Dock driver.
+
+- **Component*xx*FirmwareUpdateStatus** – This key displays the stage of the Surface Dock firmware update process.
+
+- **Component*xx*FirmwareUpdateStatusRejectReason** – This key changes as the firmware update is processed. It should result in 0 after the successful installation of Surface Dock firmware.
+
+These registry keys are not present unless you have installed updated Surface Dock drivers through Windows Update or MSI deployment.
+
+
+
+## Manually update with Microsoft Surface Dock Updater
+
+
+The manual method using the Microsoft Surface Dock Updater tool to update the Surface Dock is used mostly in environments where IT prepares Surface Docks prior to delivery to the end user, or for troubleshooting of a Surface Dock. Microsoft Surface Dock Updater is a tool that you can run from any Surface device that is compatible with the Surface Dock, and will walk you through the process of performing the Surface Dock firmware update in the least possible amount of time. You can also use this tool to verify the firmware status of a connected Surface Dock.
+
+For more information about how to use the Microsoft Surface Dock Updater tool, please see [Microsoft Surface Dock Updater](surface-dock-updater.md). You can download the Microsoft Surface Dock Updater tool from the [Surface Tools for IT page](http://go.microsoft.com/fwlink/p/?LinkId=618121) on the Microsoft Download Center.
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md
new file mode 100644
index 0000000000..7a8b380b8b
--- /dev/null
+++ b/devices/surface/manage-surface-pro-3-firmware-updates.md
@@ -0,0 +1,70 @@
+---
+title: Manage Surface driver and firmware updates (Surface)
+description: This article describes the available options to manage firmware and driver updates for Surface devices.
+ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73
+keywords: ["Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Manage Surface driver and firmware updates
+
+
+This article describes the available options to manage firmware and driver updates for Surface devices.
+
+For a list of the available downloads for Surface devices and links to download the drivers and firmware for your device, see [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+
+On Surface devices, the firmware is exposed to the operating system as a driver and is visible in Device Manager. This allows a Surface device firmware to be automatically updated along with all drivers through Windows Update. This mechanism provides a seamless, automatic experience to receive the latest firmware and driver updates. Although automatic updating is easy for end users, updating firmware and drivers automatically may not always apply to organizations and businesses. Automatic updates with Windows Update may not be applicable where updates are carefully managed, or when you deploy a new operating system to a Surface device.
+
+## Methods for firmware deployment
+
+
+Although firmware is provided automatically by Windows Update for computers that receive updates directly from Microsoft, in environments where updates are carefully managed by using Windows Server Update Services (WSUS), updating the firmware through Windows Update is not supported. For managed environments, there are a number of options you can use to deploy firmware updates.
+
+**Windows Update**
+
+The simplest solution to ensure that firmware on Surface devices in your organization is kept up to date is to allow Surface devices to receive updates directly from Microsoft. You can implement this solution easily by excluding Surface devices from Group Policy that directs computers to receive updates from WSUS.
+
+Although this solution ensures that firmware will be updated as new releases are made available to Windows Update, it does present potential drawbacks. Each Surface device that receives Windows Updates directly will separately download each update rather than accessing a central location, which increases demand on Internet connectivity and bandwidth. Updates are also provided automatically to devices, without being subjected to testing or review by administrators.
+
+For details about Group Policy for client configuration of WSUS or Windows Update, see [Step 5: Configure Group Policy Settings for Automatic Updates](http://go.microsoft.com/fwlink/p/?LinkId=618172).
+
+**Windows Installer Package**
+
+The firmware and driver downloads for Surface devices now include MSI installation files for firmware and driver updates. These MSI packages can be deployed with utilities that support application deployment, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. This solution allows for centralized deployment and for administrators to test and review firmware updates before they are deployed. For more information about the MSI package delivery method for firmware and driver updates, including details on what drivers are updated by the package and why certain drivers and firmware are not updated by the MSI package, see the [Surface Pro 3 MSI Now Available](http://go.microsoft.com/fwlink/p/?LinkId=618173) blog post.
+
+For instructions on how to deploy with System Center Configuration Manager, refer to [How to Deploy Applications in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=618175). For deployment of applications with MDT, see [Step 4: Add an application in the Deploy a Windows 8.1 Image Using MDT 2013](http://go.microsoft.com/fwlink/p/?LinkId=618176). Note that you can deploy applications separately from an operating system deployment through MDT by using a Post OS Installation task sequence.
+
+**Provisioning packages**
+
+New in Windows 10, provisioning packages (PPKG files) provide a simple method to apply a configuration to a destination device. You can find out more about provisioning packages, including instructions for how to create your own, in [Provisioning packages](http://go.microsoft.com/fwlink/p/?LinkId=761075). For easy application of a complete set of drivers and firmware to devices running Windows 10, a provisioning package is supplied for Surface Pro 3 devices. This file contains all of the instructions and required assets to update a Surface Pro 3 device with Windows 10 to the latest drivers and firmware.
+
+**Windows PowerShell**
+
+Another method you can use to update the firmware when Windows Updates are managed in the organization is to install the firmware from the firmware and driver pack by using PowerShell. This method allows for a similar deployment experience to the Windows Installer package and can similarly be deployed as a package by using System Center Configuration Manager. You can find the PowerShell script and details on how to perform the firmware deployment in the [Deploying Drivers and Firmware to Surface Pro](http://go.microsoft.com/fwlink/p/?LinkId=618177) blog post.
+
+## Operating system deployment considerations
+
+
+The deployment of firmware updates during an operating system deployment is a straightforward process. The firmware and driver pack can be imported into either System Center Configuration Manager or MDT, and are used to deploy a fully updated environment, complete with firmware, to a target Surface device. For a complete step-by-step guide for deployment to Surface Pro 3 using either Configuration Manager or MDT, download the [Deployment and Administration Guide for Surface Pro 3](http://go.microsoft.com/fwlink/p/?LinkId=618178) from the Microsoft Download Center.
+
+The individual driver files are also made available in the Microsoft Download Center if you are using deployment tools. The driver files are available in the ZIP archive file in the list of available downloads for your device.
+
+**Windows PE and Surface firmware and drivers**
+
+A best practice for deployment with any solution that uses the Windows Preinstallation Environment (WinPE), such as System Center Configuration Manager or MDT, is to configure WinPE with only the drivers that are required during the WinPE stage of deployment. These usually include drivers for network adapters and storage controllers. This best practice helps to prevent errors with more complex drivers that rely on components that are not present in WinPE. For Surface Pro 3 devices, this is especially true of the Touch Firmware. The Touch Firmware should never be loaded in a WinPE environment on Surface Pro 3.
+
+**Update Surface Pro 3 firmware offline through USB**
+
+In some early versions of Surface Pro 3 firmware, PXE boot performance can be quite slow. This has been resolved with updated firmware, but for organizations where firmware will be updated through operating system deployment, this issue is encountered before the updates can be deployed to the device. In this scenario, you can deploy updated firmware through a USB drive to ensure that when the operating system deployment is initiated, the network boot is quick, and deployment can complete in a timely fashion. To create a USB drive to update Surface Pro 3 firmware, see [How to Update the Surface Pro 3 Firmware Offline using a USB Drive](http://go.microsoft.com/fwlink/p/?LinkId=618189) on the Ask Premier Field Engineering (PFE) Platforms TechNet Blog.
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
new file mode 100644
index 0000000000..bf0348511d
--- /dev/null
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -0,0 +1,149 @@
+---
+title: Microsoft Surface Data Eraser (Surface)
+description: Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
+ms.assetid: 8DD3F9FE-5458-4467-BE26-E9200341CF10
+keywords: ["tool", "USB", "data", "erase"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Microsoft Surface Data Eraser
+
+
+Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
+
+[Microsoft Surface Data Eraser](http://go.microsoft.com/fwlink/p/?LinkId=691148) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB tool is easy to create by using the provided wizard, the Microsoft Surface Data Eraser Wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](http://go.microsoft.com/fwlink/p/?LinkId=691222).
+
+Compatible Surface devices include:
+
+- Surface Book
+
+- Surface Pro 4
+
+- Surface Pro3
+
+- Surface 3
+
+- Surface 3 LTE
+
+- Surface Pro 2
+
+Some scenarios where Microsoft Surface Data Eraser can be helpful include:
+
+- Prepare a Surface device to be sent for repair
+
+- Decommission a Surface device to be removed from corporate or organizational use
+
+- Repurpose a Surface device for use in a new department or for use by a new user
+
+- Standard practice when performing reimaging for devices used with sensitive data
+
+**Note**
+Third-party devices, Surface devices running Windows RT (including Surface and Surface 2), and Surface Pro are not compatible with Microsoft Surface Data Eraser.
+
+
+
+**Note**
+Because the ability to boot to USB is required to run Microsoft Surface Data Eraser, if the device is not configured to boot from USB or if the device is unable to boot or POST successfully, the Microsoft Surface Data Eraser tool will not function.
+
+
+
+## How to create a Microsoft Surface Data Eraser USB stick
+
+
+To create a Microsoft Surface Data Eraser USB stick, first install the Microsoft Surface Data Eraser setup tool from the Microsoft Download Center using the link provided at the beginning of this article. You do not need a Surface device to *create* the USB stick. After you have downloaded the installation file to your computer, follow these steps to install the Microsoft Surface Data Eraser creation tool:
+
+1. Run the DataEraserSetup.msi installation file that you downloaded from the Microsoft Download Center.
+
+2. Select the check box to accept the terms of the license agreement, and then click **Install**.
+
+3. Click **Finish** to close the Microsoft Surface Data Eraser setup window.
+
+After the creation tool is installed, follow these steps to create a Microsoft Surface Data Eraser USB stick. Before you begin these steps, ensure that you have a USB 3.0 stick that is 4 GB or larger connected to the computer.
+
+1. Start Microsoft Surface Data Eraser from the Start menu or Start screen.
+
+2. Click **Build** to begin the Microsoft Surface Data Eraser USB creation process.
+
+3. Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1.
+
+ 
+
+ Figure 1. Start the Microsoft Surface Data Eraser tool
+
+4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
+
+ **Note**
+ If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
+
+
+
+ 
+
+ Figure 2. USB thumb drive selection
+
+5. After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**.
+
+6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3.
+
+ 
+
+ Figure 3. Complete the Microsoft Surface Data Eraser USB creation process
+
+7. Click **X** to close Microsoft Surface Data Eraser.
+
+## How to use a Microsoft Surface Data Eraser USB stick
+
+
+After you create a Microsoft Surface Data Eraser USB stick, you can boot a supported Surface device from the USB stick by following this procedure:
+
+1. Insert the bootable Microsoft Surface Data Eraser USB stick into the supported Surface device.
+
+2. Ensure your system firmware is set to boot to USB. To enter the firmware settings:
+
+ 1. Turn off your Surface device.
+
+ 2. Press and hold the **Volume Up** button.
+
+ 3. Press and release the **Power** button.
+
+ 4. Release the **Volume Up** button.
+
+3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed.
+
+ 
+
+ Figure 4. Booting the Microsoft Surface Data Eraser USB stick
+
+4. Read the software license terms, and then close the notepad file.
+
+5. Accept or Decline the Software License Terms by typing **Accept** or **Decline**.
+
+6. Select one of the following three options:
+
+ - **Enter S to start Data Erase** – Select this option to begin the data erase process. You will have a chance to confirm in the next step.
+
+ - **Enter D to perform Diskpart** – Select this option to use diskpart.exe to manage partitions on your disk.
+
+ - **Enter X to shut device down** – Select this option to perform no action and shut down the device.
+
+7. If you typed **S** to begin the data erase process, the partition that will be erased is displayed, as shown in Figure 5. If this is correct, press **Y** to continue, or **N** to shut down the device.
+
+ 
+
+ Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser
+
+8. If you pressed **Y** in step 7, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
+
+9. Click the **Yes** button to continue erasing data on the Surface device.
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
new file mode 100644
index 0000000000..7b79663642
--- /dev/null
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -0,0 +1,91 @@
+---
+title: Microsoft Surface Deployment Accelerator (Surface)
+description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
+ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4
+keywords: ["deploy", "install", "tool"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Microsoft Surface Deployment Accelerator
+
+
+Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
+
+Microsoft Surface Deployment Accelerator includes a wizard that automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. The resulting deployment solution is complete with everything you need to immediately begin the deployment of Windows to a Surface device. You can also use Microsoft Surface Deployment Accelerator to create and capture a Windows reference image and then deploy it with the latest Windows Updates.
+
+Microsoft Surface Deployment Accelerator is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution.
+
+You can find more information about how to deploy to Surface devices, including step-by-step walkthroughs of customized deployment solution implementation, on the Deploy page of the [Surface TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=691693).
+
+### Download Microsoft Surface Deployment Accelerator
+
+You can download the installation files for Microsoft Surface Deployment Accelerator from the Microsoft Download Center. To download the installation files:
+
+1. Go to the [Surface Tools for IT](http://go.microsoft.com/fwlink/p/?LinkId=618121) page on the Microsoft Download Center.
+
+2. Click the **Download** button, select the **Surface\_Deployment\_Accelerator\_xxxx.msi** file, and then click **Next**.
+
+## Microsoft Surface Deployment Accelerator prerequisites
+
+
+Before you install Microsoft Surface Deployment Accelerator, your environment must meet the following prerequisites:
+
+- Microsoft Surface Deployment Accelerator must be installed on Windows Server 2012 R2 or later
+
+- PowerShell Script Execution Policy must be set to **Unrestricted**
+
+- DHCP and DNS must be enabled on the network where the Windows Server 2012 R2 environment is connected
+
+- To download Surface drivers and apps automatically the Windows Server 2012 R2 environment must have Internet access and Internet Explorer Enhanced Security Configuration must be disabled
+
+- To support network boot, the Windows Server 2012 R2 environment must have Windows Deployment Services installed and configured to respond to PXE requests
+
+- Access to Windows source files or installation media is required when you prepare a deployment with Microsoft Surface Deployment Accelerator
+
+- At least 6 GB of free space for each version of Windows you intend to deploy
+
+## How Microsoft Surface Deployment Accelerator works
+
+
+As you progress through the Microsoft Surface Deployment Accelerator wizard, you will be asked some basic questions about how your deployment solution should be configured. As you select the desired Surface models to be supported and apps to be installed (see Figure 1), the wizard will prepare scripts that download, install, and configure everything needed to perform a complete deployment and capture of a reference image. By using the network boot (PXE) capabilities of Windows Deployment Services (WDS), the resulting solution enables you to boot a Surface device from the network and perform a clean deployment of Windows.
+
+
+
+Figure 1: Select desired apps and drivers
+
+When the Microsoft Surface Deployment Accelerator completes, you can use the deployment share to deploy over the network immediately. Simply boot your Surface device from the network using a Surface Ethernet Adapter and select the Surface deployment share you created with the Microsoft Surface Deployment Accelerator wizard. Select the **1- Deploy Microsoft Surface** task sequence and the wizard will walk you through an automated deployment of Windows to your Surface device.
+
+You can modify the task sequence in the MDT Deployment Workbench to [include your own apps](http://go.microsoft.com/fwlink/p/?linkid=691700), or to [pause the automated installation routine](http://go.microsoft.com/fwlink/p/?linkid=691701). While the installation is paused, you can make changes to customize your reference image. After the image is captured, you can configure a deployment task sequence and distribute this custom configuration by using the same network boot capabilities as before.
+
+**Note**
+With Microsoft Surface Deployment Accelerator v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment.
+
+
+
+## Use Microsoft Surface Deployment Accelerator without an Internet connection
+
+
+For environments where the Microsoft Surface Deployment Accelerator server will not be able to connect to the Internet, the required Surface files can be downloaded separately. To specify a local source for Surface driver and app files, select the **Copy from a local directory** option and specify the location of your downloaded files (see Figure 2). All of the driver and app files for your selected choices must be placed in the specified folder.
+
+
+
+Figure 2. Specify a local source for Surface driver and app files
+
+You can find a full list of available driver downloads at [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+
+**Note**
+Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder.
+
+
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
new file mode 100644
index 0000000000..37fa2adb25
--- /dev/null
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -0,0 +1,387 @@
+---
+title: Step by step Surface Deployment Accelerator (Surface)
+description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices.
+ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032
+keywords: ["deploy, configure"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Step by step: Surface Deployment Accelerator
+
+
+This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. This article also contains instructions on how to perform these tasks without an Internet connection or without support for Windows Deployment Services network boot (PXE).
+
+## How to install Surface Deployment Accelerator
+
+
+For information about prerequisites and instructions for how to download and install SDA, see [Microsoft Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md).
+
+1. Download SDA, which is included in [Surface Tools for IT](http://go.microsoft.com/fwlink/p/?LinkId=618121) on the Microsoft Download Center.
+
+2. Run the SDA installation file, named **Surface\_Deployment\_Accelerator\_*xxxx*.msi**, where *xxxx* is the current version number.
+
+3. Accept the End User License Agreement (EULA) by selecting the check box, and then click **Install**, as shown in Figure 1.
+
+ 
+
+ Figure 1. SDA setup
+
+4. Click **Finish** to complete the installation of SDA.
+
+The tool installs in the Surface Deployment Accelerator program group, as shown in Figure 2.
+
+
+
+Figure 2. The Surface Deployment Accelerator program group and icon
+
+**Note**
+At this point the tool has not yet prepared any deployment environment or downloaded any materials from the Internet.
+
+
+
+## Create a deployment share
+
+
+The following steps show how you create a deployment share for Windows 10 that supports Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, and the Surface Asset Tag Tool. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps.
+
+**Note**
+SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice.
+
+
+
+1. Open the SDA wizard by double-clicking the icon in the **Surface Deployment Accelerator** program group on the Start screen.
+
+2. On the **Welcome** page, click **Next** to continue.
+
+3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 1. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue.
+
+4. On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue.
+
+5. On the **Windows 10** page, to create a Windows 10 deployment share, select the **Would you like to support Windows 10** check box. Supply the following information before you click **Next** to continue:
+
+ - **Configure Deployment Share for Windows 10**
+
+ - **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3.
+
+ - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**.
+
+ - **Windows 10 Deployment Services**
+
+ - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](http://go.microsoft.com/fwlink/p/?LinkId=761072) for more information about how to configure Windows Deployment Services for PXE boot.
+
+ - **Windows 10 Source Files**
+
+ - **Local Path** – Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**.
+
+ 
+
+ Figure 3. Specify Windows 10 deployment share options
+
+6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface Pro 3 and cannot be selected unless Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue.
+
+ 
+
+ Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers
+
+7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
+
+ - Download of Windows ADK
+
+ - Installation of Windows ADK
+
+ - Download of MDT
+
+ - Installation of MDT
+
+ - Download of Surface apps and drivers
+
+ - Creation of the deployment share
+
+ - Import of Windows installation files into the deployment share
+
+ - Import of the apps and drivers into the deployment share
+
+ - Creation of rules and task sequences for Windows deployment
+
+ 
+
+ Figure 5. The **Installation Progress** window
+
+8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices.
+
+### Optional: Create a deployment share without an Internet connection
+
+If you are unable to connect to the Internet with your deployment server, or if you want to download the Surface drivers and apps separately, you can specify a local source for the driver an app files at the time of deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be automatically deselected. Enter the folder location where you have placed the driver and app files in the **Local Path** field, as shown in Figure 6.
+
+**Note**
+All of the downloaded driver and applications files must be located in the same folder. The driver and app files do not need to be extracted from the downloaded .zip files.
+
+
+
+
+
+Figure 6. Specify the Surface driver and app files from a local path
+
+**Note**
+The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later.
+
+
+
+### Optional: Prepare offline USB media
+
+You can use USB media to perform an SDA deployment if your Surface device is unable to boot from the network. For example, if you do not have a Microsoft Surface Ethernet Adapter or Microsoft Surface dock to facilitate network boot (PXE boot). The USB drive produced by following these steps includes a complete copy of the SDA deployment share and can be run on a Surface device without a network connection.
+
+**Note**
+The offline media files for the complete SDA deployment share are approximately 9 GB in size. Your USB drive must be at least 9 GB in size. A 16 GB USB drive is recommended.
+
+
+
+Before you can create bootable media files within the MDT Deployment Workbench or copy those files to a USB drive, you must first configure that USB drive to be bootable. Using [DiskPart](http://go.microsoft.com/fwlink/p/?LinkId=761073), create a partition, format the partition as FAT32, and set the partition to be active. To run DiskPart, open an administrative PowerShell or Command Prompt window, and then run the following sequence of commands, as shown in Figure 7:
+
+1. **diskpart** – Opens DiskPart to manage disks and partitions.
+
+2. **list disk** – Displays a list of the disks available in your system; use this list to identify the disk number that corresponds with your USB drive.
+
+3. **sel disk 2** – Selects your USB drive; use the number that corresponds with the disk in your system.
+
+4. **clean** – Removes all configuration from your USB drive.
+
+ **Warning**
+ This step will remove all information from your drive. Verify that your USB drive does not contain any needed data before you perform the **clean** command.
+
+
+
+5. **create part pri** – Creates a primary partition on the USB drive.
+
+6. **format fs=fat32 quick** – Formats the partition with the FAT32 file system, performing a quick format. FAT32 is required to boot the device from UEFI systems like Surface devices.
+
+7. **assign** – Assigns the next available drive letter to the newly created FAT32 volume.
+
+8. **active** – Sets the partition to be active, which is required to boot the volume.
+
+9. **exit** – Exits DiskPart, after which you can close the PowerShell or Command Prompt window.
+
+ 
+
+ Figure 7. Use DiskPart to prepare a USB drive for boot
+
+ **Note**
+ You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly.
+
+
+
+After you have prepared the USB drive for boot, the next step is to generate offline media from the SDA deployment share. To create this media, follow these steps:
+
+1. Open the **Deployment Workbench** from the **Microsoft Deployment Toolkit** group on your Start screen.
+
+2. Expand the **Deployment Shares** node and the **Microsoft Surface Deployment Accelerator** deployment share.
+
+3. Expand the folder **Advanced Configuration** and select the **Media** folder.
+
+4. Right-click the **Media** folder and click **New Media** as shown in Figure 8 to start the New Media Wizard.
+
+ 
+
+ Figure 8. The Media folder of the SDA deployment share
+
+5. On the **General Settings** page in the **Media path** field, enter or browse to a folder where you will create the files for the new offline media. See the example **E:\\SDAMedia** in Figure 9. Leave the default profile **Everything** selected in the **Selection profile** drop-down menu, and then click **Next**.
+
+ 
+
+ Figure 9. Specify a location and selection profile for your offline media
+
+6. On the **Summary** page verify your selections, and then click **Next** to begin creation of the media.
+
+7. A **Progress** page is displayed while the media is created.
+
+8. On the **Confirmation** page, click **Finish** to complete creation of the media.
+
+9. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab as shown in Figure 10.
+
+ 
+
+ Figure 10. The Rules of the SDA deployment share
+
+10. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+C** to copy the text.
+
+11. Click **OK** to close the **Microsoft Surface Deployment Accelerator** deployment share properties.
+
+12. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab.
+
+13. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+V** to paste the text you copied from the **Microsoft Surface Deployment Accelerator** deployment share rules.
+
+14. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad.
+
+15. Press **Ctrl+A** to select all of the text in the window, and then press **Ctrl+C** to copy the text.
+
+16. Close Bootstrap.ini and click **OK** in **Microsoft Surface Deployment Accelerator** deployment share properties to close the window.
+
+17. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad.
+
+18. Press **Ctrl+A** to select all of the text in the window, then press **Ctrl+V** to paste the text from the SDA deployment share Bootstrap.ini file.
+
+19. Delete the following lines from the Bootstrap.ini as shown in Figure 11, and then save the file:
+
+ ```
+ UserID=
+ UserDomain=
+ UserPassword=
+ DeployRoot=\\SDASERVER\SDAWin10
+ UserID=
+ UserDomain=
+ UserPassword=
+ ```
+
+ 
+
+ Figure 11. The Bootstrap.ini file of MEDIA001
+
+20. Close Bootstrap.ini and click **OK** in **MEDIA001** deployment share properties to close the window.
+
+21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of the **Microsoft Surface Deployment Accelerator** deployment share.
+
+ Figure 12. Select **Update Media Content**
+
+22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.**
+
+The final step is to copy the offline media files to your USB drive.
+
+1. In File Explorer, open the path you specified in Step 5, for example **E:\\SDAMedia**.
+
+2. Copy all of the files from the Content folder to the root of the USB drive.
+
+Your USB drive is now configured as bootable offline media that contains all of the resources required to perform a deployment to a Surface device.
+
+## SDA task sequences
+
+
+The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 1 Lite Touch components](http://technet.microsoft.com/en-us/itpro/windows/deploy/mdt-2013-lite-touch-components).
+
+
+
+Figure 13. Task sequences in the Deployment Workbench
+
+### Deploy Microsoft Surface
+
+The **1 – Deploy Microsoft Surface** task sequence is used to perform a complete deployment of Windows to a Surface device. This task sequence is pre-configured by the SDA wizard and is ready to perform a deployment as soon as the wizard completes. Running this task sequence on a Surface device deploys the unaltered Windows image copied directly from the Windows installation media you specified in the SDA wizard, along with the Surface drivers for your device. The drivers for your Surface device will be automatically selected through the pre-configured deployment share rules.
+
+When you run the task sequence, you will be prompted to provide the following information:
+
+- A computer name
+
+- Your domain information and the credentials required to join the domain
+
+- A product key, if one is required
+
+ **Note**
+ If you are deploying the same version of Windows as the version that came on your device, no product key is required.
+
+
+
+- A time zone
+
+- An Administrator password
+
+The Surface apps you specified on the **Configure** page of the SDA wizard are automatically installed when you run this task sequence on a Surface device.
+
+### Create Windows reference image
+
+The **2 – Create Windows Reference Image** task sequence is used to perform a deployment to a virtual machine for the purpose of capturing an image complete with Windows Updates for use in a deployment to Surface devices. By installing Windows Updates in your reference image, you eliminate the need to download and install those updates on each deployed Surface device. The deployment process with an up-to-date image is significantly faster and more efficient than performing a deployment first and then installing Windows Updates on each device.
+
+Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations.
+
+**Note**
+Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information see [Deploy a Windows 10 image using MDT 2013 Update 1](http://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
+
+
+
+In addition to the information required by the **1 – Deploy Microsoft Surface** task sequence, you will also be prompted to capture an image when you run this task sequence on your reference virtual machine. The **Location** and **File name** fields are automatically populated with the proper information for your deployment share. All that you need to do is select the **Capture an image of this reference computer** option when you are prompted on the **Capture Image** page of the Windows Deployment Wizard.
+
+## Deployment to Surface devices
+
+
+To perform a deployment from the SDA deployment share, follow this process on the Surface device:
+
+1. Boot the Surface device to MDT boot media for the SDA deployment share. You can do this over the network by using PXE boot, or from a USB drive as described in the [Optional: Prepare offline USB media](#optional) section of this article.
+
+2. Select the deployment share for the version of Windows you intend to deploy and enter your credentials when you are prompted.
+
+3. Select the task sequence you want to run, usually the **1 – Deploy Microsoft Surface** task sequence.
+
+4. Address the task sequence prompts to pick applications, supply a password, and so on.
+
+5. The task sequence performs the automated deployment using the options specified.
+
+### Boot the Surface device from the network
+
+To boot the Surface device from the network, the Microsoft Surface Deployment Accelerator wizard must have been run on a Windows Server 2012 R2 or later environment that was configured with the Windows Deployment Services (WDS). WDS must have been configured to respond to network boot (PXE boot) requests and the boot files must have been imported into WDS. The SDA wizard will import these file automatically if the **Import boot media into the local Windows Deployment Service** check box was selected on the page for the version of Windows you intend to deploy.
+
+To boot the Surface device from the network, you must also use a Microsoft Surface Ethernet Adapter or the Ethernet port on a Microsoft Surface Dock. Third-party Ethernet adapters are not supported for network boot (PXE boot). A keyboard is also required. Both the Microsoft Surface Type Cover and keyboards connected via USB to the device or dock are supported.
+
+To instruct your Surface device to boot from the network, start with the device powered off and follow these steps:
+
+1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the **Volume Down** button until the device has begun to boot from the network.
+
+2. Press **Enter** when prompted by the dialog on the screen. This prompt indicates that your device has found the WDS PXE server over the network.
+
+3. If you have configured more than one deployment share on this device, you will be prompted to select between the boot images for each deployment share. For example, if you created both a Windows 10 and a Windows 8.1 deployment share, you will be prompted to choose between these two options.
+
+4. Enter the domain credentials that you use to log on to the server where SDA is installed when you are prompted, as shown in Figure 14.
+
+ 
+
+ Figure 14. The prompt for credentials to the deployment share
+
+5. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process.
+
+### Alternatively boot the devices from the USB stick
+
+To boot a device from the USB stick:
+
+1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the **Volume Down** button until the device has begun to boot from the USB drive.
+
+2. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process.
+
+### Run the Deploy Microsoft Surface task sequence
+
+To run the Deploy Microsoft Surface task sequence:
+
+1. On the **Task Sequence** page, select the **1 – Deploy Microsoft Surface** task sequence as shown in Figure 15, and then click **Next.**
+
+ 
+
+ Figure 15. Select the **1 – Deploy Microsoft Surface** task sequence
+
+2. On the **Computer Details** page, type a name for the Surface device in the **Computer Name** box. In the **Join a domain** section, type your domain name and credentials as shown in Figure 16, and then click **Next**.
+
+ 
+
+ Figure 16. Enter the computer name and domain information
+
+3. On the **Product Key** page, keep the **No product key is required** check box selected if you are deploying the same version and edition of Windows to your Surface devices as they came with from the factory. If you are deploying a different version or edition of Windows to the device, such as Windows Enterprise, select the licensing option that is applicable to your scenario.
+
+4. On the **Locale and Time** page, select your desired **Language Settings** and **Time Zone**, and then click **Next.**
+
+5. On the **Administrator Password** page, type a password for the local Administrator account on the Surface device, and then click **Next.**
+
+6. On the **BitLocker** page, select the **Enable BitLocker** option along with your desired configuration of BitLocker protectors if you want to encrypt the device. Otherwise, keep the **Do not enable BitLocker for this computer** check box selected, and then click **Next.**
+
+7. On the **Ready** page, verify your selections and then click **Begin** to start the automated deployment to this device. The deployment will not require user interaction again. The Windows Deployment Wizard will close and an **Installation Progress** window is displayed to show progress of the task sequence as the image is applied and applications are installed (Figure 17).
+
+ 
+
+ Figure 17. The **Installation Progress** window
+
+8. When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device.
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md
new file mode 100644
index 0000000000..972b8ebe93
--- /dev/null
+++ b/devices/surface/surface-diagnostic-toolkit.md
@@ -0,0 +1,521 @@
+---
+title: Microsoft Surface Diagnostic Toolkit (Surface)
+description: Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.
+ms.assetid: FC4C3E76-3613-4A84-A384-85FE8809BEF1
+keywords: ["hardware, device, tool, test, component"]
+ms.prod: W8
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Microsoft Surface Diagnostic Toolkit
+
+
+Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.
+
+The [Microsoft Surface Diagnostic Toolkit](http://go.microsoft.com/fwlink/p/?LinkId=618121) is a small, portable diagnostic tool that runs through a suite of tests to diagnose the hardware of Surface devices. The Microsoft Surface Diagnostic Toolkit executable file is less than 3 MB, which allows it to be distributed through email. It does not require installation, so it can be run directly from a USB stick or over the network. The Microsoft Surface Diagnostic Toolkit walks you through several tests of individual components including the touchscreen, cameras, and sensors.
+
+**Note**
+A Surface device must boot into Windows to run the Microsoft Surface Diagnostic Toolkit. The Microsoft Surface Diagnostic Toolkit will run only on the following Surface devices:
+
+- Surface Book
+
+- Surface Pro 4
+
+- Surface 3 LTE
+
+- Surface 3
+
+- Surface Pro 3
+
+- Surface Pro 2
+
+- Surface Pro
+
+
+
+**Note**
+Security software and built-in security measures in many email applications and services will block executable files that are transferred through email. To email the Surface Diagnostic Toolkit, attach the .zip archive file as downloaded from the Surface Tools for IT page without extracting it first. You can also create a custom .zip archive that contains the .exe file. (For example, if you want to localize the text as described in the [Localization](#localization) section of this article.)
+
+
+
+Running the Microsoft Surface Diagnostic Toolkit is a hands-on activity. The test sequence includes several tests that require you to perform actions or observe the outcome of the test, and then click the applicable **Pass** or **Fail** button. Some tests require connectivity to external devices, like an external display. Other tests use the built in Windows troubleshooters. At the end of testing, a visual report of the test results is displayed and you are given the option to save a log file or copy the results to the clipboard.
+
+To run a full set of tests with the Microsoft Surface Diagnostic Toolkit, you should be prepared with the following items:
+
+- An external display with the appropriate HDMI or DisplayPort connection
+
+- A Bluetooth device that can be put into pairing mode
+
+- A MicroSD or SD card that is compatible with your Surface device
+
+- A Surface Pen
+
+- Room to move the Surface device around
+
+- External speakers or headphones
+
+**Note**
+The Microsoft Surface Diagnostic Toolkit tests verify only the hardware of a Surface device and do not test or resolve issues with the operating system or software.
+
+
+
+## The tests
+
+
+The Microsoft Surface Diagnostic Toolkit runs several individual tests on a Surface device. Not all tests are applicable to every device. For example, the Home button test is not applicable to Surface Pro 4 where there is no Home button. You can specify which tests to run, or you can choose to run all tests. For tests that require external devices (such as testing output to an external display) but you do not have the required external device at the time of the test, you are given the option to skip the test. If a test fails, you are prompted to continue or stop testing at that time.
+
+### Windows Update
+
+This test checks for any outstanding Windows updates and will prompt you to install those updates before you proceed to other tests. It is important to keep a Surface device up to date with the latest Windows updates, including drivers and firmware for the Surface device. The success of some of the tests that are performed later in the task sequence depend on these updated drivers and firmware. You will be prompted to restart the device if required by Windows Update. If you must restart the device, you will need to start the Microsoft Surface Diagnostic Toolkit again.
+
+### Device information
+
+This test reads the Device ID and serial number in addition to basic system information such as device model, operating system version, processor, memory, and storage. The Device ID is recorded in the name of the log file and can be used to identify a log file for a specific device. Several system log files are also collected, including update and rollback logs, and output from several Windows built-in tools, such as [DirectX Diagnostics](http://go.microsoft.com/fwlink/p/?LinkId=746476) and [System Information](http://go.microsoft.com/fwlink/p/?LinkId=746477), power configuration, disk health, and event logs. See the following list for a full set of collected log files:
+
+- Output of **Get-WindowsUpdateLog** if the operating system is Windows 10
+
+- **%windir%\\Logs**
+
+- **%windir%\\Panther**
+
+- **%windir%\\System32\\sysprep\\Panther**
+
+- **%windir%\\System32\\WinEvt\\Logs**
+
+- **$windows.~bt\\Sources\\Panther**
+
+- **$windows.~bt\\Sources\\Rollback**
+
+- **%windir%\\System32\\WinEvt\\Logs**
+
+- Output of **dxdiag.exe /t**
+
+- Output of **msinfo32.exe /report**
+
+- Output of **powercfg.exe /batteryreport**
+
+- Output of **powercfg.exe /sleepstudy**
+
+- Output of **wevtutil.exe epl System**
+
+- Events from:
+
+ - **Chkdsk**
+
+ - **Microsoft-Windows-Ntfs**
+
+ - **Microsoft-Windows-WER-SystemErrorReporting**
+
+ - **Microsoft-Windows-Startuprepair**
+
+ - **Microsoft-Windows-kernel-Power**
+
+- Output of **powercfg.exe /q**
+
+- Output of **powercfg.exe /qh**
+
+- **%windir%\\Inf\\SetupApi\*.log**
+
+These files and logs are stored in a .zip file saved by the Microsoft Surface Diagnostic Toolkit when all selected tests have completed alongside the Microsoft Surface Diagnostic Toolkit log file.
+
+### Type Cover test
+
+**Note**
+A Surface Type Cover is required for this test.
+
+
+
+If a Surface Type Cover is not detected, the test prompts you to connect the Type Cover. When a Type Cover is detected the test prompts you to use the keyboard and touchpad. The cursor should move while you swipe the touchpad, and the keyboard Windows key should bring up the Start menu or Start screen to successfully pass this test. You can skip this test if a Type Cover is not used with the Surface device.
+
+### Integrated keyboard test
+
+**Note**
+This test is only applicable to Surface Book and requires that the Surface Book be docked to the keyboard.
+
+
+
+This test is essentially the same as the Type Cover test, except the integrated keyboard in the Surface Book base is tested rather than the Type Cover. Move the cursor and use the Windows key to bring up the Start menu to confirm that the touchpad and keyboard are operating successfully. This test will display the status of cursor movement and keyboard input for you to verify. Press **ESC** to complete the test.
+
+### Canvas mode battery test
+
+**Note**
+This test is only applicable to Surface Book.
+
+
+
+Depending on which mode Surface Book is in, different batteries are used to power the device. When Surface Book is in clipboard mode (detached form the keyboard) it uses an internal battery, and when it is connected in either laptop mode or canvas mode it uses different connections to the battery in the keyboard. In canvas mode, the screen is connected to the keyboard so that when the device is closed, the screen remains face-up and visible. Connect the Surface Book to the keyboard in this manner for the test to automatically proceed.
+
+### Clipboard mode battery test
+
+**Note**
+This test is only applicable to Surface Book.
+
+
+
+Disconnect the Surface Book from the keyboard to work in clipboard mode. In clipboard mode the Surface Book operates from an internal battery that is tested when the Surface Book is disconnected from the keyboard. Disconnecting the Surface Book from the keyboard will also disconnect the Surface Book from power and will automatically begin this test.
+
+### Laptop mode battery test
+
+**Note**
+This test is only applicable to Surface Book.
+
+
+
+Connect the Surface Book to the keyboard in the opposite fashion to canvas mode in laptop mode. In laptop mode the screen will face you when the device is open and the device can be used in the same way as any other laptop. Disconnect AC Power from the laptop base when prompted for this test to check the battery status.
+
+### Battery test
+
+In this test the battery is discharged for a few seconds and tested for health and estimated runtime. You are prompted to disconnect the power adapter and then to reconnect the power adapter when the test is complete.
+
+### Discrete graphics (dGPU) test
+
+**Note**
+This test is only applicable to Surface Book models with a discrete graphics processor.
+
+
+
+This test will query the device information of current hardware to check for the presence of both the Intel integrated graphics processor in the Surface Book and the NVIDIA discrete graphics processor in the Surface Book keyboard. The keyboard must be attached for this test to function.
+
+### Discrete graphics (dGPU) fan test
+
+**Note**
+This test is only applicable to Surface Book models with a discrete graphics processor.
+
+
+
+The discrete graphics processor in the Surface Book includes a separate cooling fan. The fan is turned on automatically by the test for 5 seconds. Listen for the sound of the fan in the keyboard and report if the fan is working correctly when prompted.
+
+### Muscle wire test
+
+**Note**
+This test is only applicable to Surface Book.
+
+
+
+To disconnect the Surface Book from the keyboard, software must instruct the muscle wire latch mechanism to open. This is typically accomplished by pressing and holding the undock key on the keyboard. This test sends the same signal to the latch, which unlocks the Surface Book from the Surface Book keyboard. Remove the Surface Book from the keyboard when you are prompted to do so.
+
+### Dead pixel and display artifacts tests
+
+**Note**
+Before you run this test, be sure to clean the screen of dust or smudges.
+
+
+
+This test prompts you to view the display in search of malfunctioning pixels. The test displays full-screen, single-color images including black, white, red, green, and blue. Pixels that remain bright or dark when the screen displays an image of a different color indicate a failed test. You should also look for distortion or variance in the color of the screen.
+
+### Digitizer edges
+
+The touchscreen of a Surface device should detect when a user swipes in from the left or right side of the screen. This test prompts you to swipe in from the edges of the screen to bring up the Action Center and Task View. Both Action Center and Task View should launch to pass this test.
+
+### Digitizer pinch
+
+The pinch gesture (when you bring two fingers closer together or farther apart) is used to manipulate zoom and to position content through the touchscreen. This test displays an image in Windows Picture Viewer and prompts you to zoom in, move, and zoom out of the picture. The picture should zoom in, move, and zoom out as the gestures are performed.
+
+### Digitizer touch
+
+The Surface touchscreen should detect input across the entire screen of the device equally. To perform this test a series of lines are displayed on the screen for you to trace with a finger in search of unresponsive areas. The lines traced across the screen should appear continuous for the length of the line as drawn with your finger.
+
+### Digitizer pen test
+
+**Note**
+A Microsoft Surface Pen is required for this test.
+
+
+
+This test displays the same lines as those that are displayed during the Digitizer Touch test, but your input is performed with a Surface Pen instead of your finger. The lines should remain unbroken for as long as the Pen is pressed to the screen. Trace all of the lines in the image to look for unresponsive areas across the entire screen of the Surface device.
+
+### Digitizer multi touch
+
+The Surface touchscreen is capable of detecting 10 fingers simultaneously. Place all of your fingers on the screen simultaneously to perform this test. The screen will show the number of points detected, which should match the number of fingers you have on the screen.
+
+### Home button test
+
+The Home button or Windows button on your Surface device is used to bring up the Start screen or Start menu. This test is successful if the Start screen or Start menu is displayed when the Windows button is pressed. This test is not displayed on Surface Pro 4 because no Windows button exists.
+
+### Volume rocker test
+
+This test prompts you to use the volume rocker to turn the volume all the way up, all the way down, and then all the way up again. To pass this test, the volume slider should move up and down as the rocker is pressed.
+
+### Micro SD or SD slot test
+
+**Note**
+This test requires a micro SD or SD card that is compatible with the slot in your Surface device.
+
+
+
+Insert a micro SD or SD card when you are prompted. When the SD card is detected, the test prompts you to remove the SD card to ensure that the card is not left in the device. During this test a small file is written to the SD card and then verified. Detection and verification of the SD card automatically passes this test without additional input.
+
+### Microphone test
+
+This test displays the **Recording** tab of the Sound item in Control Panel. The test prompts you to monitor the meter that is displayed next to the **Microphone Array** recording device. A recommended test is to speak and watch for your speech to be detected in the meter. If the meter moves when you speak, the microphone is working correctly. For Surface Book you will be prompted to tap locations near the microphones. This tapping should produce noticeable spikes in the audio meter.
+
+### Video out test
+
+**Note**
+This test requires an external display with the applicable connection for your Surface device.
+
+
+
+Surface devices provide a Mini DisplayPort connection for connecting to an external display. Connect your display through the Mini DisplayPort on the device when prompted. The display should be detected automatically and an image should appear on the external display.
+
+### Bluetooth test
+
+**Note**
+This test requires a Bluetooth device. The device must be set to pairing mode or made discoverable to perform this test.
+
+
+
+After you receive a prompt to put the device in pairing mode, the test opens the **Add a device** window and begins to search for discoverable Bluetooth devices. Watch the **Add a device** window to verify that your Bluetooth device is detected. Select your Bluetooth device from the list and connect to the device to complete the test.
+
+### Camera test
+
+Use this test to verify that the cameras on your Surface device are operating properly. Images will be displayed from both the front and rear cameras, and the infrared camera on a Surface Pro 4. Continuous autofocus can be enabled on the rear camera. Move the device closer and farther away from an object to verify the operation of continuous autofocus.
+
+### Speaker test
+
+**Note**
+Headphones or external speakers are required to test the headphone jack in this test.
+
+
+
+This test plays audio over left and right channels respectively, both for the internal speakers and for speakers or headphones connected to the headphone jack. Mark each channel as a pass or fail as you hear the audio play.
+
+### Network test
+
+**Note**
+Connect the Surface device to a Wi-Fi network before you run this test. Connections that are made during the test are removed when the test is completed.
+
+
+
+This test uses the Windows Network Diagnostics built in troubleshooter to diagnose potential issues with network connectivity, including proxy configuration, DNS problems, and IP address conflicts. An event log is saved by this test in Windows logs and is visible in the Windows Event Viewer. The Event ID is 6100.
+
+### Power test
+
+Settings such as display brightness, the elapsed time until the screen sleeps, and the elapsed time until device sleeps, are checked against default values with the Power built-in troubleshooter. The troubleshooter will automatically correct settings that may prevent the device from conserving power or entering sleep mode.
+
+### Mobile broadband test
+
+This test prompts you to enable mobile broadband and attempts to browse to http://www.bing.com. This test is only applicable to Surface devices that come equipped with mobile broadband, such as Surface 3 LTE.
+
+### Accelerometer test
+
+The accelerometer detects lateral, longitudinal, and vertical movements of the Surface device. This test prompts you to pick up and move the Surface device forward and backward, to the left and to the right, and up and down, to test the sensor for directional movement. The test automatically passes when movement is detected.
+
+### Gyrometer test
+
+The gyrometer detects pitch, roll, and yaw movements. This test prompts you to pick up and rotate the Surface device to test the sensors for angular movement. The test automatically passes when movement is detected.
+
+### Compass test
+
+The compass detects which direction the Surface device is facing relative to north, south, east, and west. Turn the Surface device to face in different directions to test the sensor. The test automatically passes when a change in direction is detected.
+
+### Ambient light test
+
+The ambient light sensor is used to automatically adjust screen brightness relative to the ambient lighting in the environment. Turn the device toward or away from a light source to cause the screen to dim or brighten in response increased or decreased light. The test automatically passes when the screen brightness automatically changes.
+
+### Device orientation test
+
+**Note**
+Before you run this test, disable rotation lock from the Action Center if enabled.
+
+
+
+The device orientation sensor determines what the angle of the Surface device is, relative to the ground. Rotate the display 90 degrees or 180 degrees to cause the screen orientation to switch between portrait and landscape mode. The test automatically passes when the screen orientation switches.
+
+### Brightness test
+
+This test cycles the screen through brightness levels from 0 percent to 100 percent, and then a message is displayed to confirm if the brightness level changed accordingly. You are then prompted to disconnect the power adapter. The screen should automatically dim when power is disconnected.
+
+### System assessment
+
+**Note**
+The Surface device must be connected to AC power before you can run this test.
+
+
+
+The Windows System Assessment Tool (WinSAT) runs a series of benchmarks against the processor, memory, video adapter, and storage devices. The results include the processing speed of various algorithms, read and write performance of memory and storage, and performance in several Direct3D graphical tests.
+
+### Performance Monitor test
+
+Performance and diagnostic trace logs are recorded from Performance Monitor for 30 seconds and collected in the .zip file output of the Microsoft Surface Diagnostic Toolkit by this test. You can analyze these trace logs with the [Windows Performance Analyzer](http://go.microsoft.com/fwlink/p/?LinkId=746486) to identify causes of application crashes, performance issues, or other undesirable behavior in Windows.
+
+### Crash dump collection
+
+If your Surface device has encountered an error that caused the device to fail or produce a blue screen error, this stage of the Microsoft Surface Diagnostic Toolkit records the information from the automatically recorded crash dump files in the diagnostic log. You can use these crash dump files to identify a faulty driver, hardware component, or application through analysis. Use the [Windows Debugging Tool](http://go.microsoft.com/fwlink/p/?LinkId=746488) to analyze these files. If you are not familiar with the analysis of crash dump files, you can describe your issue and post a link to your crash dump files (uploaded to OneDrive or another file sharing service) in the [Windows TechNet Forums](http://go.microsoft.com/fwlink/p/?LinkId=746489).
+
+## Command line
+
+
+You can run the Microsoft Surface Diagnostic Toolkit from the command line or as part of a script. The tool supports the following arguments:
+
+**Note**
+Many of the tests performed by the Microsoft Surface Diagnostic Toolkit require technician interaction. The Microsoft Surface Diagnostic Toolkit cannot run unattended.
+
+
+
+### exclude
+
+Use this argument to exclude specific tests.
+
+Example:
+
+```
+Surface_Diagnostic_Toolkit_1.0.60.0.exe “exclude=BatteryTest,CameraTest”
+```
+
+See the following list for test names:
+
+- AccelerometerTest
+
+- AmbientLightSensorTest
+
+- BatteryTest
+
+- BluetoothTest
+
+- BrightnessTest
+
+- CameraTest
+
+- CanvasModeBatteryTest
+
+- ChargingTest
+
+- ClipboardModeBatteryTest
+
+- CrashDumpCollectionTest
+
+- DeadPixelDetectionTest
+
+- DeviceInformationTest
+
+- DeviceOrientationTest
+
+- DigitalCompassSensorTest
+
+- DigitizerEdgeTest
+
+- DigitizerMultiTouchTest
+
+- DigitizerPenCoverageTest
+
+- DigitizerPinchTest
+
+- DigitizerTouchCoverageTest
+
+- DisplayArtifactsTest
+
+- DualGraphicsTest
+
+- FanTest
+
+- GyrometerSensorTest
+
+- HomeButtonTest
+
+- IntegratedKeyboardTest
+
+- LaptopModeBatteryTest
+
+- MicrophoneTest
+
+- MicroSdCardTest
+
+- MobileBroadbandTest
+
+- MuscleWireTest
+
+- NetworkTest
+
+- PenTest
+
+- PerformanceMonitorTest
+
+- PowerTest
+
+- SdCardTest
+
+- SpeakerTest
+
+- SystemAssessmentTest
+
+- TypeCoverTest
+
+- VideoOutTest
+
+- VolumeRockerTest
+
+- WindowsUpdateCheckTest
+
+### forceplatformsupport
+
+Use this argument to force tests to run when the make and model of the device is not properly detected by Windows. Surface Diagnostic Toolkit is intended to run only on Surface devices.
+
+Example:
+
+```
+Surface_Diagnostic_Toolkit_1.0.60.0.exe forceplatformsupport
+```
+
+### include
+
+Use this argument to include tests when you run Microsoft Surface Diagnostic Toolkit from the command line. Tests specified by the **Include** command will be run even if the test is not supported on the model of Surface device. In the following example, the Surface Book specific tests for the latch mechanism and discrete graphics will be run, even if the command is run on a Surface Pro 4 or other Surface model.
+
+Example:
+
+```
+Surface_Diagnostic_Toolkit_1.0.60.0.exe “include=DualGraphicsTest,FanTest,MuscleWireTest”
+```
+
+### logpath
+
+Use this argument to specify the path for the log file.
+
+Example 1:
+
+```
+Surface_Diagnostic_Toolkit_1.0.60.0.exe logpath=C:\Folder
+```
+
+Example 2:
+
+```
+Surface_Diagnostic_Toolkit_1.0.60.0.exe “logpath=C:\Folder with spaces”
+```
+
+## Localization
+
+
+By default, the Microsoft Surface Diagnostic Toolkit is available in English only. If you want to localize the text of the Microsoft Surface Diagnostic Toolkit prompts into another language, you can do so by creating a custom localization file. If the localization file exists, the Microsoft Surface Diagnostic Toolkit will override the default English text and use the text contained in the file instead. To create a localization file, follow these steps:
+
+1. Open Notepad.
+
+2. Type the following line at the beginning of the file:
+
+ ``` syntax
+
+ ```
+
+3. Save the file as SurfaceDiagnosticTool\_v1.0.60.0.locale in the same location where the Microsoft Surface Diagnostic Toolkit executable file is stored.
+
+4. Run the Microsoft Surface Diagnostic Toolkit executable file, Surface\_Diagnostic\_Toolkit\_v1.0.60.0.exe. The SurfaceDiagnosticTool\_v1.0.60.0.locale file will be populated with all of the text from the default prompts.
+
+5. Open the SurfaceDiagnosticTool\_v1.0.60.0.locale file in Notepad and change the text of each prompt to your custom or localized text.
+
+6. Save the SurfaceDiagnosticTool\_v1.0.60.0.locale file.
+
+**Note**
+The SurfaceDiganosticTool\_v1.0.60.0.locale file must be located in the same folder and have the same name other than the file extension as the Microsoft Surface Diagnostic Toolkit executable file to use the custom prompt text. The SurfaceDiganosticTool\_v1.0.60.0.locale is an .xml file and must use UTF-8 encoding.
+
+
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
new file mode 100644
index 0000000000..6cee308250
--- /dev/null
+++ b/devices/surface/surface-dock-updater.md
@@ -0,0 +1,107 @@
+---
+title: Microsoft Surface Dock Updater (Surface)
+description: This article provides a detailed walkthrough of Microsoft Surface Dock Updater.
+ms.assetid: 1FEFF277-F7D1-4CB4-8898-FDFE8CBE1D5C
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Microsoft Surface Dock Updater
+
+
+This article provides a detailed walkthrough of Microsoft Surface Dock Updater.
+
+The [Microsoft Surface Dock Updater](http://go.microsoft.com/fwlink/p/?LinkId=618121) tool allows you to check the firmware status of a Surface Dock and to manually update the firmware of Surface Dock devices. It is most often used to update Surface Docks prior to deployment of those Surface Docks to end users or as a troubleshooting tool. Microsoft Surface Dock Updater walks you through the process of updating the firmware on one or more Surface Docks, including the required connect and disconnect steps to perform the complete firmware installation.
+
+When you run the Microsoft Surface Dock Updater installer you will be prompted to accept an End User License Agreement (EULA).
+
+**Note**
+Updating Surface Dock firmware requires connectivity to the Surface Dock, available only on Surface Pro 3, Surface Pro 4, and Surface Book devices. A Surface Pro 3, Surface Pro 4, or Surface Book is required to successfully install Microsoft Surface Dock Updater.
+
+## Update a Surface Dock with Microsoft Surface Dock Updater
+
+
+After you install the [Microsoft Surface Dock Updater](http://go.microsoft.com/fwlink/p/?LinkId=618121) tool, you can find Microsoft Surface Dock Updater under **All Apps** in your Start menu. Click **Microsoft Surface Dock Updater** to start the application.
+
+To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps:
+
+1. Click Start to begin the firmware update process. If you do not have a Surface Dock connected, you will be prompted to connect a Surface Dock.
+
+2. Microsoft Surface Dock Updater checks the status of your Surface Dock firmware.
+
+ - If the tool determines that the firmware of your Surface Dock is up to date, a **You have the latest firmware for this Surface Dock** message is displayed, as shown in Figure 1.
+
+ 
+
+ Figure 1. Your Surface Dock firmware is up to date.
+
+ - If Microsoft Surface Dock Updater determines that the firmware of your Surface Dock is not up to date, a **This Surface Dock is not running the latest firmware** message is displayed, as shown in Figure 2.
+
+ 
+
+ Figure 2. Your Surface Dock firmware needs to be updated
+
+3. To begin the firmware update process, click **Update** on the **Surface Dock Firmware** page.
+
+4. Before the firmware update process begins, you will be prompted for confirmation. Click **OK** to proceed or **Cancel** to return to the **Surface Dock Firmware** page displaying the status of your Surface Dock firmware.
+
+5. As the firmware update is uploaded to the Surface Dock, a **Progress** page is displayed, as shown in Figure 3. Do not disconnect the Surface Dock while firmware is being uploaded.
+
+ 
+
+ Figure 3. Progress of firmware update upload to Surface Dock
+
+6. After the firmware update has successfully uploaded to the Surface Dock, you are prompted to disconnect and then reconnect the Surface Dock from the Surface device, as shown in Figure 4. The main chipset firmware update will be applied while the Surface Dock is disconnected.
+
+ 
+
+ Figure 4. Disconnect and reconnect Surface Dock when prompted
+
+7. When the main chipset firmware update is verified, the DisplayPort chipset firmware update will be uploaded to the Surface Dock. Upon completion, a **Success** page is displayed and you will again be prompted to disconnect the Surface Dock, as shown in Figure 5.
+
+ 
+
+ Figure 5. Successful upload of Surface Dock firmware
+
+8. After you disconnect the Surface Dock the DisplayPort firmware update will be installed. This process occurs on the Surface Dock hardware while it is disconnected. The Surface Dock must remain powered for up to 3 minutes after it has been disconnected for the firmware update to successfully install. An **Update in Progress** page is displayed (as shown in Figure 6), with a countdown timer to show the estimated time remaining to complete the firmware update installation.
+
+ 
+
+ Figure 6. Countdown timer to complete firmware installation on Surface Dock
+
+9. If you want to update multiple Surface Docks in one sitting, you can click the **Update another Surface Dock** button to begin the process on the next Surface Dock.
+
+ **Note**
+ The LED in the Ethernet port of the dock will blink while the update is in progress. Please wait until the LED stops blinking before you unplug your Surface Dock from power.
+
+
+
+## Troubleshooting Microsoft Surface Dock Updater
+
+
+If the Surface Dock firmware update process encounters an installation error with either firmware update, the **Encountered an unexpected error** page may be displayed, as shown in Figure 7.
+
+
+
+Figure 7. Firmware update installation has encountered an error
+
+Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in Figure 8. If you need to troubleshoot an update through this tool, you will find Surface Dock events recorded with the following event IDs:
+
+| Event ID | Event type |
+|----------|----------------------------------------------------------|
+| 12100 | Up-to-date confirmation |
+| 12101 | Event in the main chipset firmware update process |
+| 12102 | Event in the DisplayPort chipset firmware update process |
+| 12105 | Error |
+
+
+
+
+Figure 8. Surface Dock Updater events in Event Viewer
+
+## Related topics
+
+
+[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
diff --git a/education/docfx.json b/education/docfx.json
new file mode 100644
index 0000000000..cc09ff86a7
--- /dev/null
+++ b/education/docfx.json
@@ -0,0 +1,24 @@
+{
+ "build": {
+ "content":
+ [
+ {
+ "files": ["**/**.md"],
+ "exclude": ["**/obj/**"]
+ }
+ ],
+ "resource": [
+ {
+ "files": ["**/images/**", "**/*.json"],
+ "exclude": ["**/obj/**"]
+ }
+ ],
+ "globalMetadata": {
+ "ROBOTS": "INDEX, FOLLOW"
+ },
+ "externalReference": [
+ ],
+ "template": "op.html",
+ "dest": "education"
+ }
+}
diff --git a/education/index.md b/education/index.md
new file mode 100644
index 0000000000..0bd9ced4cc
--- /dev/null
+++ b/education/index.md
@@ -0,0 +1 @@
+#OP Testing file
diff --git a/mdop/appv-v5/TOC.md b/mdop/appv-v5/TOC.md
index 2e81d5ad03..3f983101a4 100644
--- a/mdop/appv-v5/TOC.md
+++ b/mdop/appv-v5/TOC.md
@@ -17,7 +17,7 @@
##### [Planning to Deploy App-V 5.1 with an Electronic Software Distribution System](planning-to-deploy-app-v-51-with-an-electronic-software-distribution-system.md)
##### [Planning for the App-V 5.1 Server Deployment](planning-for-the-app-v-51-server-deployment.md)
##### [Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)
-##### [Planning for Migrating from a Previous Version of App-V 5.1 ](planning-for-migrating-from-a-previous-version-of-app-v51.md)
+##### [Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v51.md)
##### [Planning for Using App-V with Office 5.1](planning-for-using-app-v-with-office51.md)
##### [Planning to Use Folder Redirection with App-V 5.1](planning-to-use-folder-redirection-with-app-v51.md)
#### [App-V 5.1 Planning Checklist](app-v-51-planning-checklist.md)
@@ -79,11 +79,12 @@
##### [How to Access the Client Management Console 5.1](how-to-access-the-client-management-console51.md)
##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server 5.1](how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md)
#### [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md)
+##### [Check Registry Keys before installing App-V 5.x Server](check-reg-key-svr.md)
##### [How to Convert a Package Created in a Previous Version of App-V 5.1](how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md)
-##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md)
-##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md)
-##### [How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 SP2 Package For All Users on a Specific Computer](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md)
-##### [How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 SP2 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-a-specific-user.md)
+##### [How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md)
+##### [How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md)
+##### [How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 Package For All Users on a Specific Computer](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md)
+##### [How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-a-specific-user.md)
##### [How to Use an App-V 4.6 SP1 Application From an App-V 5.1 Application](how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md)
#### [Maintaining App-V 5.1](maintaining-app-v-51.md)
##### [How to Move the App-V Server to Another Computer 5.1](how-to-move-the-app-v-server-to-another-computer51.md)
diff --git a/mdop/appv-v5/about-app-v-50-sp3.md b/mdop/appv-v5/about-app-v-50-sp3.md
index a4418a6430..84f1b27782 100644
--- a/mdop/appv-v5/about-app-v-50-sp3.md
+++ b/mdop/appv-v5/about-app-v-50-sp3.md
@@ -197,7 +197,7 @@ Complete the following steps to upgrade each component of the App-V infrastructu
-If you are upgrading the App-V Server from App-V SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).
+If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).
Follow the steps in [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md).
diff --git a/mdop/appv-v5/about-app-v-51.md b/mdop/appv-v5/about-app-v-51.md
index 162630bae1..debcd6ece3 100644
--- a/mdop/appv-v5/about-app-v-51.md
+++ b/mdop/appv-v5/about-app-v-51.md
@@ -63,7 +63,7 @@ See the following links for the App-V 5.1 software prerequisites and supported c
## Migrating to App-V 5.1
-Use the following information to upgrade to App-V 5.1 from earlier versions. See [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md) for more information.
+Use the following information to upgrade to App-V 5.1 from earlier versions. See [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md) for more information.
### Before you start the upgrade
@@ -90,7 +90,7 @@ Review the following information before you start the upgrade:
Note
-
To use the App-V client user interface, download the existing version from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).
+
Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).
@@ -98,7 +98,7 @@ Review the following information before you start the upgrade:
Upgrading from App-V 4.x |
-For more information, see:
+ | You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V 5.1. For more information, see:
“Differences between App-V 4.6 and App-V 5.0” in [About App-V 5.0](about-app-v-50.md) [Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v.md)
|
-See [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md) |
+Follow these steps:
+
+Do one of the following, depending on the method you are using to upgrade the Management database and/or Reporting database:
+
+
+
+
+
+
+
+
+
+
+Windows Installer |
+Skip this step and go to step 2, “If you are upgrading the App-V Server...” |
+
+
+SQL scripts |
+Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts.md). |
+
+
+
+If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](check-reg-key-svr.md). Follow the steps in [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)
+ |
Step 2: Upgrade the App-V Sequencer. |
@@ -174,7 +202,7 @@ App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no
## What’s New in App-V 5.1
-These sections are for users who are already familiar with App-V and want to know what has changed in App-V 5.1. If you are not already familiar with App-V, you should start by reading [Planning for App-V 5.0](planning-for-app-v-50-rc.md).
+These sections are for users who are already familiar with App-V and want to know what has changed in App-V 5.1. If you are not already familiar with App-V, you should start by reading [Planning for App-V 5.1](planning-for-app-v-51.md).
### App-V support for Windows 10
diff --git a/mdop/appv-v5/check-reg-key-svr.md b/mdop/appv-v5/check-reg-key-svr.md
new file mode 100644
index 0000000000..40deca6793
--- /dev/null
+++ b/mdop/appv-v5/check-reg-key-svr.md
@@ -0,0 +1,238 @@
+---
+title: Check Registry Keys before installing App-V 5.x Server
+description: Check Registry Keys before installing App-V 5.x Server
+ms.assetid:
+author: jamiejdt
+---
+
+# Check Registry Keys before installing App-V 5.x Server
+
+If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in this section before installing the App-V 5.x Server
+
+
+
+
+
+
+
+
+When this step is required |
+You are upgrading from App-V 5.0 SP1 with any subsequent Hotfix Packages that you installed by using an .msp file. |
+
+
+Which components require that you do this step |
+Only the App-V Server components that you are upgrading. |
+
+
+When you need to do this step |
+Before you upgrade the App-V Server to App-V 5.x |
+
+
+What you need to do |
+Using the information in the following tables, update each registry key value under HKLM\Software\Microsoft\AppV\Server with the value that you provided in your original server installation. Completing this step restores registry values that may have been removed when App-V 5.0 SP1 Hotfix Packages were installed. |
+
+
+
+
+
+
+**ManagementDatabase key**
+
+If you are installing the Management database, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ManagementDatabase`.
+
+
+
+
+
+
+
+
+
+
+
+IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED |
+Describes whether a public access account is required to access non-local management databases. Value is set to “1” if it is required. |
+
+
+MANAGEMENT_DB_NAME |
+Name of the Management database. |
+
+
+MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT |
+Account used for read (public) access to the Management database.
+Used when IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1. |
+
+
+MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_SID |
+Secure identifier (SID) of the account used for read (public) access to the Management database.
+Used when IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1. |
+
+
+MANAGEMENT_DB_SQL_INSTANCE |
+SQL Server instance for the Management database.
+If the value is blank, the default database instance is used. |
+
+
+MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT |
+Account used for write (administrator) access to the Management database. |
+
+
+MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT_SID |
+Secure identifier (SID) of the account used for write (administrator) access to the Management database. |
+
+
+MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT |
+Management server remote computer account (domain\account). |
+
+
+MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT |
+Installation administrator login for the Management server (domain\account). |
+
+
+MANAGEMENT_SERVER_MACHINE_USE_LOCAL |
+Valid values are:
+
+1 – the Management service is on the local computer, that is, MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT is blank. 0 - the Management service is on a different computer from the local computer. |
+
+
+
+
+
+
+**ManagementService key**
+
+If you are installing the Management server, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ManagementService`.
+
+
+
+
+
+
+
+
+
+
+
+MANAGEMENT_ADMINACCOUNT |
+Active Directory Domain Services (AD DS) group or account that is authorized to manage App-V (domain\account). |
+
+
+MANAGEMENT_DB_SQL_INSTANCE |
+SQL server instance that contains the Management database.
+If the value is blank, the default database instance is used. |
+
+
+MANAGEMENT_DB_SQL_SERVER_NAME |
+Name of the remote SQL server with the Management database.
+If the value is blank, the local computer is used. |
+
+
+
+
+
+
+**ReportingDatabase key**
+
+If you are installing the Reporting database, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ReportingDatabase`.
+
+
+
+
+
+
+
+
+
+
+
+IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED |
+Describes whether a public access account is required to access non-local reporting databases. Value is set to “1” if it is required. |
+
+
+REPORTING_DB_NAME |
+Name of the Reporting database. |
+
+
+REPORTING_DB_PUBLIC_ACCESS_ACCOUNT |
+Account used for read (public) access to the Reporting database.
+Used when IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1. |
+
+
+REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_SID |
+Secure identifier (SID) of the account used for read (public) access to the Reporting database.
+Used when IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1. |
+
+
+REPORTING_DB_SQL_INSTANCE |
+SQL Server instance for the Reporting database.
+If the value is blank, the default database instance is used. |
+
+
+REPORTING_DB_WRITE_ACCESS_ACCOUNT |
+ |
+
+
+REPORTING_DB_WRITE_ACCESS_ACCOUNT_SID |
+ |
+
+
+REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT |
+Reporting server remote computer account (domain\account). |
+
+
+REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT |
+Installation administrator login for the Reporting server (domain\account). |
+
+
+REPORTING_SERVER_MACHINE_USE_LOCAL |
+Valid values are:
+
+1 – the Reporting service is on the local computer, that is, REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT is blank. 0 - the Reporting service is on a different computer from the local computer. |
+
+
+
+
+
+
+**ReportingService key**
+
+If you are installing the Reporting server, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ReportingService`.
+
+
+
+
+
+
+
+
+
+
+
+REPORTING_DB_SQL_INSTANCE |
+SQL Server instance for the Reporting database.
+If the value is blank, the default database instance is used. |
+
+
+REPORTING_DB_SQL_SERVER_NAME |
+Name of the remote SQL server with the Reporting database.
+If the value is blank, the local computer is used. |
+
+
+
+
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-46x-and-the-app-v--51-client-on-the-same-computer.md b/mdop/appv-v5/how-to-deploy-the-app-v-46x-and-the-app-v--51-client-on-the-same-computer.md
index 7420ac9bef..49c8452df2 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-46x-and-the-app-v--51-client-on-the-same-computer.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-46x-and-the-app-v--51-client-on-the-same-computer.md
@@ -32,9 +32,9 @@ Use the following information to install the Microsoft Application Virtualizatio
5. Convert extension points, as needed. For more information, see the following resources:
- - [How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md)
+ - [How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md)
- - [How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md)
+ - [How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md)
- [How to Convert a Package Created in a Previous Version of App-V](how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md)
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md b/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md
new file mode 100644
index 0000000000..e524980035
--- /dev/null
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md
@@ -0,0 +1,269 @@
+---
+title: How to Deploy the App-V 5.1 Server
+description: How to Deploy the App-V 5.1 Server
+ms.assetid: 4729beda-b98f-481b-ae74-ad71c59b1d69
+author: jamiejdt
+---
+
+# How to Deploy the App-V 5.1 Server
+
+
+Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.1 server. For information about deploying the App-V 5.1 Server, see [About App-V 5.1](about-app-v-51.md#bkmk-migrate-to-51).
+
+**Before you start:**
+
+- Ensure that you’ve installed prerequisite software. See [App-V 5.1 Prerequisites](app-v-51-prerequisites.md).
+
+- Review the server section of [App-V 5.1 Security Considerations](app-v-51-security-considerations.md).
+
+- Specify a port where each component will be hosted.
+
+- Add firewall rules to allow incoming requests to access the specified ports.
+
+- If you use SQL scripts, instead of the Windows Installer, to set up the Management database or Reporting database, you must run the SQL scripts before installing the Management Server or Reporting Server. See [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md).
+
+**To install the App-V 5.1 server**
+
+1. Copy the App-V 5.1 server installation files to the computer on which you want to install it.
+
+2. Start the App-V 5.1 server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**.
+
+3. Review and accept the license terms, and choose whether to enable Microsoft updates.
+
+4. On the **Feature Selection** page, select all of the following components.
+
+
+
+
+
+
+
+
+
+
+
+ Management server |
+ Provides overall management functionality for the App-V infrastructure. |
+
+
+ Management database |
+ Facilitates database predeployments for App-V management. |
+
+
+ Publishing server |
+ Provides hosting and streaming functionality for virtual applications. |
+
+
+ Reporting server |
+ Provides App-V 5.1 reporting services. |
+
+
+ Reporting database |
+ Facilitates database predeployments for App-V reporting. |
+
+
+
+
+
+
+5. On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line.
+
+6. On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below.
+
+
+
+
+
+
+
+
+
+
+
+ You are using a custom Microsoft SQL Server instance. |
+ Select Use the custom instance, and type the name of the instance.
+ Use the format INSTANCENAME. The assumed installation location is the local computer.
+ Not supported: A server name using the format ServerName\INSTANCE. |
+
+
+ You are using a custom database name. |
+ Select Custom configuration and type the database name.
+ The database name must be unique, or the installation will fail. |
+
+
+
+
+
+
+7. On the **Configure** page, accept the default value **Use this local computer**.
+
+ **Note**
+ If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
+
+
+
+8. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below.
+
+
+
+
+
+
+
+
+
+
+
+ You are using a custom Microsoft SQL Server instance. |
+ Select Use the custom instance, and type the name of the instance.
+ Use the format INSTANCENAME. The assumed installation location is the local computer.
+ Not supported: A server name using the format ServerName\INSTANCE. |
+
+
+ You are using a custom database name. |
+ Select Custom configuration and type the database name.
+ The database name must be unique, or the installation will fail. |
+
+
+
+
+
+
+9. On the **Configure** page, accept the default value: **Use this local computer**.
+
+ **Note**
+ If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
+
+
+
+10. On the **Configure** (Management Server Configuration) page, specify the following:
+
+
+
+
+
+
+
+
+
+
+
+ Type the AD group with sufficient permissions to manage the App-V environment. |
+ Example: MyDomain\MyUser
+ After installation, you can add additional users or groups by using the Management console. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use Domain local or Universal groups are required to perform this action. |
+
+
+ Website name: Specify the custom name that will be used to run the publishing service. |
+ If you do not have a custom name, do not make any changes. |
+
+
+ Port binding: Specify a unique port number that will be used by App-V. |
+ Example: 12345
+ Ensure that the port specified is not being used by another website. |
+
+
+
+
+
+
+11. On the **Configure** **Publishing Server Configuration** page, specify the following:
+
+
+
+
+
+
+
+
+
+
+
+ Specify the URL for the management service. |
+ Example: http://localhost:12345 |
+
+
+ Website name: Specify the custom name that will be used to run the publishing service. |
+ If you do not have a custom name, do not make any changes. |
+
+
+ Port binding: Specify a unique port number that will be used by App-V. |
+ Example: 54321
+ Ensure that the port specified is not being used by another website. |
+
+
+
+
+
+
+12. On the **Reporting Server** page, specify the following:
+
+
+
+
+
+
+
+
+
+
+
+ Website name: Specify the custom name that will be used to run the Reporting Service. |
+ If you do not have a custom name, do not make any changes. |
+
+
+ Port binding: Specify a unique port number that will be used by App-V. |
+ Example: 55555
+ Ensure that the port specified is not being used by another website. |
+
+
+
+
+
+
+13. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page.
+
+14. To verify that the setup completed successfully, open a web browser, and type the following URL:
+
+ **http://<Management server machine name>:<Management service port number>/Console.html**.
+
+ Example: **http://localhost:12345/console.html**. If the installation succeeded, the App-V Management console is displayed with no errors.
+
+ **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+## Related topics
+
+
+[Deploying App-V 5.1](deploying-app-v-51.md)
+
+[How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md)
+
+[How to Install the Publishing Server on a Remote Computer](how-to-install-the-publishing-server-on-a-remote-computer51.md)
+
+[How to Deploy the App-V 5.1 Server Using a Script](how-to-deploy-the-app-v-51-server-using-a-script.md)
+
+
+
+
+
+
+
+
+
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
index 35d77c5117..d11e7fad16 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
@@ -1,21 +1,22 @@
---
-title: How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer
-description: How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer
+title: How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer
+description: How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer
ms.assetid: 4ef823a5-3106-44c5-aecc-29edf69c2fbb
author: jamiejdt
---
-# How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer
+# How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer
-Use the following procedure to migrate extension points from an App-V 4.6 SP2 package to a App-V 5.1 package using the deployment configuration file.
+Use the following procedure to migrate extension points from an App-V 4.6 package to a App-V 5.1 package using the deployment configuration file.
**Note**
+This procedure assumes that you are running the latest version of App-V 4.6.
The following procedure does not require an App-V 5.1 management server.
-**To migrate extension points from a package from an App-V 4.6 SP2 package to a converted App-V 5.1 package using the deployment configuration file**
+**To migrate extension points from a package from an App-V 4.6 package to a converted App-V 5.1 package using the deployment configuration file**
1. Locate the directory that contains the deployment configuration file for the package you want to migrate. To set the policy, make the following update to the **userConfiguration** section:
@@ -47,14 +48,14 @@ The following procedure does not require an App-V 5.1 management server.
PS>**Publish-AppVClientPackage $pkg**
-3. To test the migration, open the virtual application using asscoaited FTAs or shortcuts. The application opens with App-V 5.1. Both, the App-V 4.6 SP2 package and the converted App-V 5.1 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.1 package.
+3. To test the migration, open the virtual application using associated FTAs or shortcuts. The application opens with App-V 5.1. Both, the App-V 4.6 package and the converted App-V 5.1 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.1 package.
**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
-[How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 SP2 Package For All Users on a Specific Computer](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md)
+[How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 Package For All Users on a Specific Computer](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md)
[Operations for App-V 5.1](operations-for-app-v-51.md)
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md
index 0b9e3cd221..3e1888a1e1 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md
@@ -1,15 +1,18 @@
---
-title: How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User
-description: How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User
+title: How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User
+description: How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User
ms.assetid: 19da3776-5ebe-41e1-9890-12b84ef3c1c7
author: jamiejdt
---
-# How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User
+# How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User
Use the following procedure to migrate packages created with App-V using the user configuration file.
+**Note**
+This procedure assumes that you are running the latest version of App-V 4.6.
+
**To convert a package**
1. Locate the user configuration file for the package you want to convert. To set the policy, perform the following updates in the **userConfiguration** section: **ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName=<Package ID>**.
@@ -34,7 +37,7 @@ Use the following procedure to migrate packages created with App-V using the use
3. Open the application using FTAs or shortcuts now. The application should open using App-V 5.1.
- The App-V SP2 package and the converted App-V 5.1 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.1 package.
+ The App-V 4.6 package and the converted App-V 5.1 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.1 package.
**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
@@ -43,7 +46,7 @@ Use the following procedure to migrate packages created with App-V using the use
[Operations for App-V 5.1](operations-for-app-v-51.md)
-[How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 SP2 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-a-specific-user.md)
+[How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-a-specific-user.md)
diff --git a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-a-specific-user.md b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-a-specific-user.md
index 98339d52ca..c69c21b2b6 100644
--- a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-a-specific-user.md
+++ b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-a-specific-user.md
@@ -1,18 +1,18 @@
---
-title: How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 SP2 Package for a Specific User
-description: How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 SP2 Package for a Specific User
+title: How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 Package for a Specific User
+description: How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 Package for a Specific User
ms.assetid: bd53c5d6-7fd2-4816-b03b-d59da0a35819
author: jamiejdt
---
-# How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 SP2 Package for a Specific User
+# How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 Package for a Specific User
Use the following procedure to revert an App-V 5.1 package to the App-V file format using the user configuration file.
**To revert a package**
-1. Ensure that App-V 4.6 SP2 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.1 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md).
+1. Ensure that App-V 4.6 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.1 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md).
In the **userConfiguration** section of the deployment configuration file for the converted package, to set the policy, make the following update to the **userConfiguration** section: **ManagingAuthority TakeoverExtensionPointsFrom46="false" PackageName=<Package ID>**
@@ -20,7 +20,7 @@ Use the following procedure to revert an App-V 5.1 package to the App-V file for
PS>**Publish-AppVClientPackage $pkg –DynamicUserConfigurationPath** <path to user configuration file>
-3. Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6 SP2. Open the application using FTAs or shortcuts. The Application should now open using App-V 4.6 SP2.
+3. Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6. Open the application using FTAs or shortcuts. The Application should now open using App-V 4.6.
**Note**
If you do not need the App-V 5.1 package anymore, you can unpublish the App-V 5.1 package and the extension points will automatically revert to App-V 4.6.
diff --git a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md
index 2cfc4d1722..265afe0293 100644
--- a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md
+++ b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md
@@ -1,18 +1,18 @@
---
-title: How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 SP2 Package For All Users on a Specific Computer
-description: How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 SP2 Package For All Users on a Specific Computer
+title: How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 Package For All Users on a Specific Computer
+description: How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 Package For All Users on a Specific Computer
ms.assetid: 64640b8e-de6b-4006-a33e-353d285af15e
author: jamiejdt
---
-# How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 SP2 Package For All Users on a Specific Computer
+# How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 Package For All Users on a Specific Computer
-Use the following procedure to revert extension points from an App-V 5.1 package to the App-V 4.6 SP2 file format using the deployment configuration file.
+Use the following procedure to revert extension points from an App-V 5.1 package to the App-V 4.6 file format using the deployment configuration file.
**To revert a package**
-1. Ensure that App-V 4.6 SP2 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.1 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md).
+1. Ensure that App-V 4.6 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.1 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md).
In the **userConfiguration** section of the deployment configuration file for the converted package, to set the policy, make the following update to the **userConfiguration** section: **ManagingAuthority TakeoverExtensionPointsFrom46="false" PackageName=<Package ID>**
@@ -22,9 +22,9 @@ Use the following procedure to revert extension points from an App-V 5.1 package
PS>**Publish-AppVClientPackage $pkg –DynamicUserConfigurationType useDeploymentConfiguration**
-3. Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6 SP2 package.
+3. Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6 package.
- Open the application using FTAs or shortcuts. The Application should now open using App-V 4.6 SP2.
+ Open the application using FTAs or shortcuts. The Application should now open using App-V 4.6.
**Note**
If you do not need the App-V 5.1 package anymore, you can unpublish the App-V 5.1 package and the extension points will automatically revert to App-V 4.6.
diff --git a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md
index 5f95a39eb1..a12c13f680 100644
--- a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md
+++ b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md
@@ -1,24 +1,27 @@
---
-title: How to Use an App-V 4.6 SP1 Application From an App-V 5.1 Application
-description: How to Use an App-V 4.6 SP1 Application From an App-V 5.1 Application
+title: How to Use an App-V 4.6 Application From an App-V 5.1 Application
+description: How to Use an App-V 4.6 Application From an App-V 5.1 Application
ms.assetid: 909b4391-762b-4988-b0cf-32b67f1fcf0e
author: jamiejdt
---
-# How to Use an App-V 4.6 SP1 Application From an App-V 5.1 Application
+# How to Use an App-V 4.6 Application From an App-V 5.1 Application
-Use the following procedure to run an App-V 4.6 SP2 application with App-V 5.1 applications on a standalone client.
+Use the following procedure to run an App-V 4.6 application with App-V 5.1 applications on a standalone client.
+
+**Note**
+This procedure assumes that you are running the latest version of App-V 4.6.
**To run applications on a standalone client**
1. Select two applications in your environment that can be opened from one another. For example, Microsoft Outlook and Adobe Acrobat Reader. You can access an email attachment created using Adobe Acrobat.
-2. Convert the packages, or create a new package for either of the applications using the App-V 5.1 format. For more information about converting packages see, [How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md) or [How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md).
+2. Convert the packages, or create a new package for either of the applications using the App-V 5.1 format. For more information about converting packages see, [How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md) or [How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md).
3. Add and provision the package using the App-V 5.1 management console. For more information adding and provisioning packages see, [How to Add or Upgrade Packages by Using the Management Console](how-to-add-or-upgrade-packages-by-using-the-management-console-51-gb18030.md) and [How to Configure Access to Packages by Using the Management Console](how-to-configure-access-to-packages-by-using-the-management-console-51.md).
-4. The converted application now runs using App-V 5.1 and you can open one application from the other. For example, if you converted a Microsoft Office package to an App-V 5.1 package and Adobe Acrobat is still running as an App-V 4.6 SP2 package, you can open an Adobe Acrobat Reader attachment using Microsoft Outlook.
+4. The converted application now runs using App-V 5.1 and you can open one application from the other. For example, if you converted a Microsoft Office package to an App-V 5.1 package and Adobe Acrobat is still running as an App-V 4.6 package, you can open an Adobe Acrobat Reader attachment using Microsoft Outlook.
**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
diff --git a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md
index 5e1395c0f0..dc0aeb1008 100644
--- a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md
+++ b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md
@@ -8,10 +8,11 @@ author: jamiejdt
# Migrating to App-V 5.1 from a Previous Version
-With Microsoft Application Virtualization (App-V) 5.1 you can migrate your existing App-V 4.6 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure.
+With Microsoft Application Virtualization (App-V) 5.1, you can migrate your existing App-V 4.6 or App-V 5.0 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure.
+However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md)
**Note**
-App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and so there is no need to convert App-V 5.0 packages to App-V 5.1 packages.
+App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and therefore, there is no need to convert App-V 5.0 packages to App-V 5.1 packages.
For more information about the differences between App-V 4.6 and App-V 5.1, see the **Differences between App-4.6 and App-V 5.0 section** of [About App-V 5.0](about-app-v-50.md).
@@ -201,7 +202,7 @@ After you convert an existing package you should test the package prior to deplo
-When converting a package check for failing files or shortcuts. Locate the item in App-V 4.6 package. It could possibly be hard-coded path. Convert the path.
+When converting a package check for failing files or shortcuts. Locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path.
**Note**
It is recommended that you use the App-V 5.1 sequencer for converting critical applications or applications that need to take advantage of features. See, [How to Sequence a New Application with App-V 5.1](how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md).
@@ -230,7 +231,7 @@ The following table displays the recommended method for upgrading clients.
-Upgrade your environment to App-V 4.6 SP2 |
+Upgrade your environment to the latest version of App-V 4.6 |
[Application Virtualization Deployment and Upgrade Considerations](../appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md). |
@@ -247,7 +248,7 @@ The following table displays the recommended method for upgrading clients.
**Important**
-You must be running App-V 4.6 SP2 to use coexistence mode. Additionally, when you sequence a package, you must configure the Managing Authority setting, which is in the **User Configuration** is located in the **User Configuration** section.
+You must be running the latest version of App-V 4.6 to use coexistence mode. Additionally, when you sequence a package, you must configure the Managing Authority setting, which is in the **User Configuration** is located in the **User Configuration** section.
@@ -269,7 +270,7 @@ There is no direct method to upgrade to a full App-V 5.1 infrastructure. Use the
-Upgrade your environment to App-V 4.6 SP2. |
+Upgrade your environment to the latest version of App-V 4.6. |
[Application Virtualization Deployment and Upgrade Considerations](../appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md). |
@@ -294,15 +295,15 @@ There is no direct method to upgrade to a full App-V 5.1 infrastructure. Use the
You can also perform additional migration tasks such as reconfiguring end points as well as opening a package created using a prior version on a computer running the App-V 5.1 client. The following links provide more information about performing these tasks.
-[How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md)
+[How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md)
-[How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md)
+[How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md)
-[How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 SP2 Package For All Users on a Specific Computer](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md)
+[How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 Package For All Users on a Specific Computer](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md)
-[How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 SP2 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-a-specific-user.md)
+[How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-a-specific-user.md)
-[How to Use an App-V 4.6 SP1 Application From an App-V 5.1 Application](how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md)
+[How to Use an App-V 4.6 Application From an App-V 5.1 Application](how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md)
## Got a suggestion for App-V?
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 05507c1d74..56f8c27db1 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -401,6 +401,30 @@
### [User Account Control](user-account-control-overview.md)
#### [How User Account Control works](how-user-account-control-works.md)
#### [User Account Control security policy settings](user-account-control-security-policy-settings.md)
+#### [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md)
+### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
+#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
+#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
+
+##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+##### [Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+#### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
+#### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
+##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
+##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
+##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
+##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
+#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
@@ -411,4 +435,3 @@
### [Microsoft Passport guide](microsoft-passport-guide.md)
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
### [Windows 10 security overview](windows-10-security-guide.md)
-
diff --git a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..604d4ba268
--- /dev/null
+++ b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,46 @@
+---
+title: Additional Windows Defender ATP configuration settings
+description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature.
+keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates,
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Additional Windows Defender ATP configuration settings
+
+**Applies to**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
+
+## Configure sample collection settings with Group Policy
+1. On your GP management machine, copy the following files from the
+ configuration package:
+
+ a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
+
+ b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
+
+2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor**, go to **Computer configuration**.
+
+4. Click **Policies**, then **Administrative templates**.
+
+5. Click **Windows components** and then **Windows Advanced Threat Protection**.
+
+6. Choose to enable or disable sample sharing from your endpoints.
+
+## Related topics
+
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..ee4ce0a4a9
--- /dev/null
+++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,70 @@
+---
+title: View and organize the Windows Defender ATP Alerts queue
+description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts.
+keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# View and organize the Windows Defender Advanced Threat Protection Alerts queue
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in queues according to their current status.
+
+To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
+
+> **Note** By default, the queues are sorted from newest to oldest.
+
+The following table and screenshot demonstrate the main areas of the **Alerts queue**.
+
+
+
+Highlighted area|Area name|Description
+:---|:---|:---
+(1)|**Alerts queue**| Select to show **New**, **In Progress**, or **Resolved alerts**
+(2)|Alerts|Each alert shows:- The severity of an alert as a colored bar
- A short description of the alert, including the name of the threat actor (in cases where the attribution is possible)
- The last occurrence of the alert on any machine
- The number of days the alert has been in the queue
- The severity of the alert
- The general category or type of alert, or the alert's kill-chain stage
- The affected machine (if there are multiple machines, the number of affected machines will be shown)
- A **Manage Alert** menu icon  that allows you to update the alert's status and add comments
Clicking an alert expands to display more information about the threat and brings you to the date in the timeline when the alert was detected.
+(3)|Alerts sorting and filters | You can sort alerts by: - **Newest** (when the threat was last seen on your network)
- **Time in queue** (how long the threat has been in your queue)
- **Severity**
You can also filter the displayed alerts by:See [Windows Defender ATP alerts](use-windows-defender-advanced-threat-protection.md#windows-defender-atp-alerts) for more details.
+
+##Sort and filter the Alerts queue
+You can filter and sort (or "pivot") the Alerts queue to identify specific alerts based on certain criteria.
+There are three mechanisms to pivot the queue against:
+
+1. Sort the queue by opening the drop-down menu in the **Sort by** field and choosing:
+
+ - **Newest** - Sorts alerts based on when the alert was last seen on an endpoint.
+ - **Time in queue** - Sorts alerts by the length of time an alert has been in the queue.
+ - **Severity** - Sorts alerts by their level of severity.
+
+2. Filter alerts by their **Severity** by opening the drop-down menu in the **Filter by** field and selecting one or more of the check boxes:
+
+ - High (Red) - Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
+ - Medium (Orange) - Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
+ - Low (Yellow) - Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization.
+
+3. Limit the queue to see alerts from various set periods by clicking the drop-down menu in the date range field (by default, this is selected as **6 months**):
+
+ - **1 day**
+ - **3 days**
+ - **7 days**
+ - **30 days**
+ - **6 months**
+
+ > **Note** You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon 
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 3940db84d1..5d540eb6ae 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -11,6 +11,14 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## May 2016
+
+|New or changed topic | Description |
+|----------------------|-------------|
+| [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. |
+| [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content |
+| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
+
## April 2016
|New or changed topic | Description |
diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..8ac1ba2c6b
--- /dev/null
+++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,103 @@
+---
+title: Configure Windows Defender ATP endpoints
+description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service.
+keywords: configure endpoints, client onboarding, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: iaanw
+---
+
+# Configure Windows Defender ATP endpoints
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You can use a Group Policy (GP) configuration package, a System Center Configuration Manager (SCCM) package, or an automated script to configure endpoints.
+
+## Configure with Group Policy
+Using the GP configuration package ensures your endpoints will be correctly configured to report to the Windows Defender ATP service.
+
+> **Note** To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. The endpoints must be running Windows 10 Insider Preview Build 14332 or later.
+
+1. Open the GP configuration package .zip file (*WindowsATPOnboardingPackage_GroupPolicy.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+ a. Click **Client onboarding** on the **Navigation pane**.
+
+ b. Select **Group Policy**, click **Download package** and save the .zip file.
+
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
+
+3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+
+4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
+
+5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
+
+6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
+
+7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
+
+8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
+
+9. Click **OK** and close any open GPMC windows.
+
+For additional settings, see the [Additional configuration settings section](additional-configuration-windows-defender-advanced-threat-protection.md).
+
+
+## Configure with System Center Configuration Manager
+
+1. Open the SCCM configuration package .zip file (*WindowsATPOnboardingPackage_ConfigurationManager.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+ a. Click **Client onboarding** on the **Navigation pane**.
+
+ b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file.
+
+2. Copy the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package.
+
+3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
+
+4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
+
+ a. Choose a predefined device collection to deploy the package to.
+
+
+## Configure endpoints individually with an automated script
+
+You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
+
+
+1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+ a. Click **Client onboarding** on the **Navigation pane**.
+
+ b. Select **Manually on-board local machine**, click **Download package** and save the .zip file.
+
+
+2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
+
+2. Open an elevated command-line prompt on the endpoint and run the script:
+
+ a. Click **Start** and type **cmd**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+ 
+
+3. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`*
+
+4. Press the **Enter** key or click **OK**.
+
+See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
+
+## Related topics
+
+- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..aef3743b8f
--- /dev/null
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,184 @@
+---
+title: Configure Windows Defender ATP endpoint proxy and Internet connection settings
+description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
+keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, web proxy auto detect, wpad, netsh, winhttp, proxy server
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+
+# Configure endpoint proxy and Internet connectivity settings
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
+
+The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
+
+The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
+
+- Configure Web Proxy Auto Detect (WPAD) settings and configure Windows to automatically detect the proxy server
+
+- Configure the proxy server manually using Netsh
+
+## Configure Web Proxy Auto Detect (WPAD) settings and proxy server
+
+Configure WPAD in the environment and configure Windows to automatically detect the proxy server through Policy or the local Windows settings.
+
+Enable the **Automatically detect settings** option in the Windows Proxy settings so that WinHTTP can use the WPAD feature to locate a proxy server.
+
+1. Click **Start** and select **Settings**.
+
+2. Click **Network & Internet**.
+
+3. Select **Proxy**.
+
+4. Verify that the **Automatically detect settings** option is set to On.
+
+ 
+
+5. If the **Use setup script** or **Manual proxy setup** options are enabled then you will need to [configure proxy settings manually by using Netsh](#configure-proxy-server-manually-using-netsh) method for WinHTTP to discover the appropriate proxy settings and connect.
+
+## Configure the proxy server manually using Netsh
+
+If **Use setup script** or **Manual proxy setup** settings are configured in the Windows Proxy setting, then endpoints will not be discovered by WinHTTP.
+Use Netsh to configure the proxy settings to enable connectivity.
+
+You can configure the endpoint by using any of these methods:
+
+- Importing the configured proxy settings to WinHTTP
+- Configuring the proxy settings manually to WinHTTP
+
+After configuring the endpoints, you'll need to verify that the correct proxy settings were applied.
+
+**Import the configured proxy settings to WinHTTP**
+
+1. Open an elevated command-line prompt on the endpoint:
+
+ a. Click **Start** and type **cmd**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command and press **Enter**:
+
+ ```text
+ netsh winhttp import proxy source=ie
+ ```
+ An output showing the applied WinHTTP proxy settings is displayed.
+
+
+ **Configure the proxy settings manually to WinHTTP**
+
+ 1. Open an elevated command-line prompt on the endpoint:
+
+ a. Click **Start** and type **cmd**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+ 2. Enter the following command and press **Enter**:
+
+ ```text
+ proxy [proxy-server=] ProxyServerName:PortNumber
+ ```
+ Replace *ProxyServerName* with the fully qualified domain name of the proxy server.
+
+ Replace *PortNumber* with the port number that you want to configure the proxy server with.
+
+ An output showing the applied WinHTTP proxy settings is displayed.
+
+
+**Verify that the correct proxy settings were applied**
+
+1. Open an elevated command-line prompt on the endpoint:
+
+ a. Click **Start** and type **cmd**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command and press **Enter**:
+
+```
+netsh winhttp show proxy
+```
+
+For more information on how to use Netsh see, [Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)](https://technet.microsoft.com/en-us/library/cc731131(v=ws.10).aspx)
+
+## Enable access to Windows Defender ATP service URLs in the proxy server
+
+If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
+
+- us.vortex-win.data.microsoft.com
+- eu.vortex-win.data.microsoft.com
+- sevillegwcus.microsoft.com
+- sevillegweus.microsoft.com
+- sevillegwweu.microsoft.com
+- sevillegwneu.microsoft.com
+- www.microsoft.com
+- crl.microsoft.com
+- \*.blob.core.windows.net
+
+If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted to the above listed URLs.
+
+## Verify client connectivity to Windows Defender ATP service URLs
+
+Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
+
+1. Download the connectivity verification tools to the PC where Windows Defender ATP sensor is running on:
+
+ - [Download PsTools Suite](https://technet.microsoft.com/en-us/sysinternals/bb896649)
+ - [Download PortQry Command Line Port Scanner Version 2.0 utility](https://www.microsoft.com/en-us/download/details.aspx?id=17148)
+
+2. Extract the contents of **PsTools** and **PortQry** to a directory on the computer hard drive.
+
+3. Open an elevated command-line:
+
+ a. Click **Start** and type **cmd**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+4. Enter the following command and press **Enter**:
+
+ ```
+ HardDrivePath\PsExec.exe -s cmd.exe
+ ```
+ Replace *HardDrivePath* with the path where the PsTools Suite was extracted to:
+ 
+
+5. Enter the following command and press **Enter**:
+
+ ```
+ HardDrivePath\portqry.exe -n us.vortex-win.data.microsoft.com -e 443 -p tcp
+ ```
+ Replace *HardDrivePath* with the path where the PortQry utility was extracted to:
+ 
+
+6. Verify that the output shows that the name is **resolved** and connection status is **listening**.
+
+7. Repeat the same steps for the remaining URLs with the following arguments:
+
+ - portqry.exe -n eu.vortex-win.data.microsoft.com -e 443 -p tcp
+ - portqry.exe -n sevillegwcus.microsoft.com -e 443 -p tcp
+ - portqry.exe -n sevillegweus.microsoft.com -e 443 -p tcp
+ - portqry.exe -n sevillegwweu.microsoft.com -e 443 -p tcp
+ - portqry.exe -n sevillegwneu.microsoft.com -e 443 -p tcp
+ - portqry.exe -n www.microsoft.com -e 80 -p tcp
+ - portqry.exe -n crl.microsoft.com -e 80 -p tcp
+
+8. Verify that each URL shows that the name is **resolved** and the connection status is **listening**.
+
+If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
+
+## Related topics
+
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-the-application-identity-service.md b/windows/keep-secure/configure-the-application-identity-service.md
index d09240e41c..2642394fff 100644
--- a/windows/keep-secure/configure-the-application-identity-service.md
+++ b/windows/keep-secure/configure-the-application-identity-service.md
@@ -46,11 +46,4 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
3. Verify that the status for the Application Identity service is **Running**.
-
-
-
-
-
-
-
-
+Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic**.
\ No newline at end of file
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..aa142cc631
--- /dev/null
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,94 @@
+---
+title: View the Windows Defender Advanced Threat Protection Dashboard
+description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
+keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# View the Windows Defender Advanced Threat Protection Dashboard
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+The **Dashboard** displays a snapshot of:
+
+- The latest active alerts on your network
+- Machines reporting
+- Top machines with active alerts
+- The overall status of Windows Defender ATP for the past 30 days
+- Machines with active malware detections
+
+You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
+
+From the **Dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
+
+It also has clickable tiles that give visual cues on the overall health status of your organization. Each tile opens a detailed view of the corresponding overview.
+
+## ATP alerts
+You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**.
+
+
+
+Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
+
+See the [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topic for more information.
+
+The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information.
+
+## Machines at risk
+This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to its label).
+
+
+
+Click the name of the machine to see details about that machine. See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine) topic for more information.
+
+You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) topic for more information.
+
+## Status
+The **Status** tile informs you if the service is active and running and the specific number of machines (endpoints) reporting to Windows Defender ATP.
+
+
+
+## Machines reporting
+The **Machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
+
+
+
+## Machines with active malware detections
+The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.
+
+Active malware is defined as threats that are actively executing at the time of detection.
+
+Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days.
+
+
+
+The chart is sorted into five categories:
+
+- **Password stealer** - threats that attempt to steal credentials.
+- **Ransomware** - threats that prevent user access to a machine or its files and demand payment to restore access.
+- **Exploit** - threats that use software vulnerabilities to infect machines.
+- **Threat** - all other threats that don't fit into the **Password stealer**, **Ransomware**, or **Exploit** categories. This includes trojans, worms, backdoors, and viruses.
+- **Low severity** - threats with low severity, including adware and potentially unwanted software such as browser modifiers.
+
+Threats are considered "active" if there is a very high probability that the malware was executing on your network, as opposed to statically located on-disk.
+
+Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
+
+> **Note** The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+
+### Related topics
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..1286313495
--- /dev/null
+++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,73 @@
+---
+title: Windows Defender ATP data storage and privacy
+description: Learn about how Windows Defender ATP handles privacy and data that it collects.
+keywords: Windows Defender ATP data storage and privacy, storage, privacy
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# Windows Defender ATP data storage and privacy
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
+> **Note** This document covers the information specific to the Windows Defender ATP service. Other data shared and stored by Windows Defender and Windows 10 is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See the [Windows 10 privacy FAQ for more information](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq).
+
+## What data does Windows Defender ATP collect?
+
+Microsoft will collect and store information from your configured endpoints in a database specific to the service for administration, tracking, and reporting purposes.
+
+Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
+
+Microsoft stores this data in a Microsoft Azure security-specific data store, and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
+
+Microsoft uses this data to:
+- Proactively identify indicators of attack (IOAs) in your organization
+- Generate alerts if a possible attack was detected
+- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
+
+Microsoft does not mine your data for advertising or for any other purpose other than providing you the service.
+
+## Do I have the flexibility to select where to store my data?
+
+Data for this new service is stored in Microsoft Azure datacenters in the United States and European Union based on the geolocation properties. Subject to the relevant preview program you may be able to specify your preferred geolocation when you onboard to the service. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations in which your data will reside. Microsoft will not transfer the data from the specified geolocation except in specific circumstances during the preview stage.
+
+## Is my data isolated from other customer data?
+Yes. The new cloud service provides appropriate segregation at a number of levels, such as isolation of files, configurations, and telemetry data. Aside from data access authentication, simply keeping different data appropriately segregated provides well-recognized protection.
+
+## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
+
+Microsoft developers and administrators have, by design, been given sufficient privileges to carry out their assigned duties to operate and evolve the service. Microsoft deploys combinations of preventive, detective, and reactive controls including the following mechanisms to help protect against unauthorized developer and/or administrative activity:
+
+- Tight access control to sensitive data
+- Combinations of controls that greatly enhance independent detection of malicious activity
+- Multiple levels of monitoring, logging, and reporting
+
+Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they are required to access a customer’s account or related information in the performance of their duties.
+
+## Is data shared with other customers?
+No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
+
+## How long will Microsoft store my data? What is Microsoft’s data retention policy?
+Your data privacy is one of Microsoft's key commitments for the cloud. For this service, at contract termination or expiration, your data will be erased from Microsoft’s systems to make it unrecoverable after 90 days (from contract termination or expiration).
+
+## Can Microsoft help us maintain regulatory compliance?
+Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards.
+By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
+
+## Is there a difference between how Microsoft handles data for the preview programs and for General Availability?
+Subject to the preview program you are in, you could be asked to choose to store your data in a datacenter either in Europe or United States. Your data will not be copied or moved outside of the datacenter you choose, except in the following specific circumstance:
+
+1. You choose Europe as your datacenter, and
+2. You [submit a file for deep analysis](investigate-files-windows-defender-advanced-threat-protection.md#submit-files-for-analysis).
+
+In this circumstance, the submitted file will be sent to the US deep analysis laboratory. The results of the analysis will be stored in the European datacenter, and the file and data will be deleted from the US deep analysis laboratory and datacenter.
+
+This is a temporary measure as we work to integrate our deep analysis capabilities into the European datacenter. If you have any concerns or questions about submitting files for deep analysis and you are using a European datacenter, or if you’d like to be updated as to when the European deep analysis lab is online, email [winatp@microsoft.com](mailto:winatp@microsoft.com).
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..f6244f66e0
--- /dev/null
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,249 @@
+---
+title: Review events and errors on endpoints with Event Viewer
+description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service.
+keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: iaanw
+---
+
+
+# Review events and errors on endpoints with Event Viewer
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints.
+
+For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
+
+> **Note** It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
+
+**Open Event Viewer and find the Windows Defender ATP service event log:**
+
+1. Click **Start**, type **Event Viewer**, and press **Enter**.
+
+2. In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
+ open the log.
+
+ a. You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
+
+ > **Note** SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+
+3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
+
+
+
+
+| Event ID |
+Message |
+Description |
+Action |
+
+
+| 1 |
+Windows Advanced Threat Protection service started (Version ```variable```). |
+Occurs during system start up, shut down, and during onbboarding. |
+Normal operating notification; no action required. |
+
+
+| 2 |
+Windows Advanced Threat Protection service shutdown. |
+Occurs when the endpoint is shut down or offboarded. |
+Normal operating notification; no action required. |
+
+
+| 3 |
+Windows Advanced Threat Protection service failed to start. Failure code: ```variable``` |
+Service did not start. |
+Review other messages to determine possible cause and troubleshooting steps. |
+
+
+| 4 |
+Windows Advanced Threat Protection service contacted the server at ```variable```. |
+variable = URL of the Windows Defender ATP processing servers.
+This URL will match that seen in the Firewall or network activity. |
+Normal operating notification; no action required. |
+
+
+| 5 |
+Windows Advanced Threat Protection service failed to connect to the server at ```variable```. |
+variable = URL of the Windows Defender ATP processing servers.
+The service could not contact the external processing servers at that URL. |
+Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity). |
+
+
+| 6 |
+Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found. |
+The endpoint did not onboard correctly and will not be reporting to the portal. |
+Onboarding must be run before starting the service.
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). |
+
+
+| 7 |
+Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: ```variable``` |
+The endpoint did not onboard correctly and will not be reporting to the portal. |
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) |
+
+
+| 8 |
+Windows Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable``` |
+The endpoint did not onboard correctly and will not be reporting to the portal. |
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) |
+
+
+| 9 |
+Windows Advanced Threat Protection service failed to change its start type. Failure code: ```variable``` |
+The endpoint did not onboard correctly and will not be reporting to the portal. |
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) |
+
+
+| 10 |
+Windows Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable``` |
+The endpoint did not onboard correctly and will not be reporting to the portal. |
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) |
+
+
+| 11 |
+Windows Advanced Threat Protection service completed. |
+The endpoint onboarded correctly. |
+Normal operating notification; no action required.
+It may take several hours for the endpoint to appear in the portal. |
+
+
+| 12 |
+Windows Advanced Threat Protection failed to apply the default configuration. |
+Service was unable to apply configuration from the processing servers. |
+This is a server error and should resolve after a short period. |
+
+
+| 13 |
+Service machine ID calculated: ```variable``` |
+Normal operating process. |
+Normal operating notification; no action required. |
+
+
+| 14 |
+Service cannot calculate machine ID. Failure code: ```variable``` |
+Internal error. |
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) |
+
+
+| 15 |
+Windows Advanced Threat Protection cannot start command channel with URL: ```variable``` |
+variable = URL of the Windows Defender ATP processing servers.
+The service could not contact the external processing servers at that URL. |
+Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity). |
+
+
+| 17 |
+Windows Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable``` |
+An error occurred with the Windows telemetry service. |
+[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled)
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) |
+
+
+| 18 |
+OOBE (Windows Welcome) is completed. |
+Service will only start after any Windows updates have finished installing. |
+Normal operating notification; no action required. |
+
+
+| 19 |
+OOBE (Windows Welcome) has not yet completed. |
+Service will only start after any Windows updates have finished installing. |
+Normal operating notification; no action required.
+If this error persists after a system restart, ensure all Windows updates have full installed. |
+
+
+| 20 |
+Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable``` |
+Internal error. |
+If this error persists after a system restart, ensure all Windows updates have full installed. |
+
+
+| 25 |
+Windows Advanced Threat Protection service failed to reset health status in the registry, causing the onboarding process to fail. Failure code: ```variable``` |
+The endpoint did not onboard correctly and will not be reporting to the portal. |
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) |
+
+
+| 26 |
+Windows Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable``` |
+The endpoint did not onboard correctly.
+It will report to the portal, however the service may not appear as registered in SCCM or the registry. |
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) |
+
+
+| 27 |
+Windows Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable``` |
+Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP. |
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+Ensure real-time antimalware protection is running properly. |
+
+
+| 28 |
+Windows Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable``` |
+An error occurred with the Windows telemetry service. |
+[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) |
+
+
+| 30 |
+Windows Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable``` |
+Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP. |
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+Ensure real-time antimalware protection is running properly. |
+
+
+| 31 |
+Windows Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable``` |
+An error occurred with the Windows telemetry service. |
+[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled). |
+
+
+| 33 |
+Windows Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable``` |
+A unique identifier is used to represent each endpoint that is reporting to the portal.
+If the identifier does not persist, the same machine might appear twice in the portal. |
+Check registry permissions on the endpoint to ensure the service can update the registry. |
+
+
+| 34 |
+Windows Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable``` |
+An error occurred with the Windows telemetry service. |
+[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) |
+
+
+
+
+
+
+
+## Related topics
+
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/images/active-threat-icon.png b/windows/keep-secure/images/active-threat-icon.png
new file mode 100644
index 0000000000..d1bd6bfc81
Binary files /dev/null and b/windows/keep-secure/images/active-threat-icon.png differ
diff --git a/windows/keep-secure/images/add-user.png b/windows/keep-secure/images/add-user.png
new file mode 100644
index 0000000000..45b52bbc4d
Binary files /dev/null and b/windows/keep-secure/images/add-user.png differ
diff --git a/windows/keep-secure/images/alert-details.png b/windows/keep-secure/images/alert-details.png
new file mode 100644
index 0000000000..7d23ae0374
Binary files /dev/null and b/windows/keep-secure/images/alert-details.png differ
diff --git a/windows/keep-secure/images/alert-icon.png b/windows/keep-secure/images/alert-icon.png
new file mode 100644
index 0000000000..941d867586
Binary files /dev/null and b/windows/keep-secure/images/alert-icon.png differ
diff --git a/windows/keep-secure/images/alertsq.png b/windows/keep-secure/images/alertsq.png
new file mode 100644
index 0000000000..b89dab8196
Binary files /dev/null and b/windows/keep-secure/images/alertsq.png differ
diff --git a/windows/keep-secure/images/alertsq2.png b/windows/keep-secure/images/alertsq2.png
new file mode 100644
index 0000000000..a11b5ba76b
Binary files /dev/null and b/windows/keep-secure/images/alertsq2.png differ
diff --git a/windows/keep-secure/images/analysis-results.png b/windows/keep-secure/images/analysis-results.png
new file mode 100644
index 0000000000..4d2afd09eb
Binary files /dev/null and b/windows/keep-secure/images/analysis-results.png differ
diff --git a/windows/keep-secure/images/assign-users.png b/windows/keep-secure/images/assign-users.png
new file mode 100644
index 0000000000..87c529be50
Binary files /dev/null and b/windows/keep-secure/images/assign-users.png differ
diff --git a/windows/keep-secure/images/atp.png b/windows/keep-secure/images/atp.png
new file mode 100644
index 0000000000..b300976d5e
Binary files /dev/null and b/windows/keep-secure/images/atp.png differ
diff --git a/windows/keep-secure/images/azure-active-directory-list.png b/windows/keep-secure/images/azure-active-directory-list.png
new file mode 100644
index 0000000000..1a126b049d
Binary files /dev/null and b/windows/keep-secure/images/azure-active-directory-list.png differ
diff --git a/windows/keep-secure/images/azure-active-directory.png b/windows/keep-secure/images/azure-active-directory.png
new file mode 100644
index 0000000000..b6e3efec10
Binary files /dev/null and b/windows/keep-secure/images/azure-active-directory.png differ
diff --git a/windows/keep-secure/images/azure-browse.png b/windows/keep-secure/images/azure-browse.png
new file mode 100644
index 0000000000..929c6050b4
Binary files /dev/null and b/windows/keep-secure/images/azure-browse.png differ
diff --git a/windows/keep-secure/images/azure-org-directory.png b/windows/keep-secure/images/azure-org-directory.png
new file mode 100644
index 0000000000..dbb20d17eb
Binary files /dev/null and b/windows/keep-secure/images/azure-org-directory.png differ
diff --git a/windows/keep-secure/images/azure-signout.png b/windows/keep-secure/images/azure-signout.png
new file mode 100644
index 0000000000..29dd863029
Binary files /dev/null and b/windows/keep-secure/images/azure-signout.png differ
diff --git a/windows/keep-secure/images/changes-icon.png b/windows/keep-secure/images/changes-icon.png
new file mode 100644
index 0000000000..6cf9d4eb8c
Binary files /dev/null and b/windows/keep-secure/images/changes-icon.png differ
diff --git a/windows/keep-secure/images/check-icon.png b/windows/keep-secure/images/check-icon.png
new file mode 100644
index 0000000000..20d181d703
Binary files /dev/null and b/windows/keep-secure/images/check-icon.png differ
diff --git a/windows/keep-secure/images/comments-icon.png b/windows/keep-secure/images/comments-icon.png
new file mode 100644
index 0000000000..bf54738910
Binary files /dev/null and b/windows/keep-secure/images/comments-icon.png differ
diff --git a/windows/keep-secure/images/comments.png b/windows/keep-secure/images/comments.png
new file mode 100644
index 0000000000..360aa79d2d
Binary files /dev/null and b/windows/keep-secure/images/comments.png differ
diff --git a/windows/keep-secure/images/components.png b/windows/keep-secure/images/components.png
new file mode 100644
index 0000000000..840f1cb0df
Binary files /dev/null and b/windows/keep-secure/images/components.png differ
diff --git a/windows/keep-secure/images/confirm-user-access.png b/windows/keep-secure/images/confirm-user-access.png
new file mode 100644
index 0000000000..6199186405
Binary files /dev/null and b/windows/keep-secure/images/confirm-user-access.png differ
diff --git a/windows/keep-secure/images/contoso-active-directory.png b/windows/keep-secure/images/contoso-active-directory.png
new file mode 100644
index 0000000000..1a126b049d
Binary files /dev/null and b/windows/keep-secure/images/contoso-active-directory.png differ
diff --git a/windows/keep-secure/images/contoso-application.png b/windows/keep-secure/images/contoso-application.png
new file mode 100644
index 0000000000..66cd9ac852
Binary files /dev/null and b/windows/keep-secure/images/contoso-application.png differ
diff --git a/windows/keep-secure/images/contoso-users.png b/windows/keep-secure/images/contoso-users.png
new file mode 100644
index 0000000000..39a6d1a7eb
Binary files /dev/null and b/windows/keep-secure/images/contoso-users.png differ
diff --git a/windows/keep-secure/images/contoso.png b/windows/keep-secure/images/contoso.png
new file mode 100644
index 0000000000..8c72d9ac32
Binary files /dev/null and b/windows/keep-secure/images/contoso.png differ
diff --git a/windows/keep-secure/images/detection-icon.png b/windows/keep-secure/images/detection-icon.png
new file mode 100644
index 0000000000..12d2217cdf
Binary files /dev/null and b/windows/keep-secure/images/detection-icon.png differ
diff --git a/windows/keep-secure/images/expand.png b/windows/keep-secure/images/expand.png
new file mode 100644
index 0000000000..aba33dc51f
Binary files /dev/null and b/windows/keep-secure/images/expand.png differ
diff --git a/windows/keep-secure/images/export-sccm.png b/windows/keep-secure/images/export-sccm.png
new file mode 100644
index 0000000000..62ed43e9e7
Binary files /dev/null and b/windows/keep-secure/images/export-sccm.png differ
diff --git a/windows/keep-secure/images/filter-log.png b/windows/keep-secure/images/filter-log.png
new file mode 100644
index 0000000000..02817ed992
Binary files /dev/null and b/windows/keep-secure/images/filter-log.png differ
diff --git a/windows/keep-secure/images/machine-investigation.png b/windows/keep-secure/images/machine-investigation.png
new file mode 100644
index 0000000000..df55bcf318
Binary files /dev/null and b/windows/keep-secure/images/machine-investigation.png differ
diff --git a/windows/keep-secure/images/machines-active-threats-tile.png b/windows/keep-secure/images/machines-active-threats-tile.png
new file mode 100644
index 0000000000..9f347dcf68
Binary files /dev/null and b/windows/keep-secure/images/machines-active-threats-tile.png differ
diff --git a/windows/keep-secure/images/machines-at-risk.png b/windows/keep-secure/images/machines-at-risk.png
new file mode 100644
index 0000000000..e2070de864
Binary files /dev/null and b/windows/keep-secure/images/machines-at-risk.png differ
diff --git a/windows/keep-secure/images/machines-reporting-tile.png b/windows/keep-secure/images/machines-reporting-tile.png
new file mode 100644
index 0000000000..96989bd0cf
Binary files /dev/null and b/windows/keep-secure/images/machines-reporting-tile.png differ
diff --git a/windows/keep-secure/images/machines-view.png b/windows/keep-secure/images/machines-view.png
new file mode 100644
index 0000000000..3baf15a05f
Binary files /dev/null and b/windows/keep-secure/images/machines-view.png differ
diff --git a/windows/keep-secure/images/manage-alert-menu.png b/windows/keep-secure/images/manage-alert-menu.png
new file mode 100644
index 0000000000..27f2129dbf
Binary files /dev/null and b/windows/keep-secure/images/manage-alert-menu.png differ
diff --git a/windows/keep-secure/images/menu-icon.png b/windows/keep-secure/images/menu-icon.png
new file mode 100644
index 0000000000..4a63d81069
Binary files /dev/null and b/windows/keep-secure/images/menu-icon.png differ
diff --git a/windows/keep-secure/images/not-remediated-icon.png b/windows/keep-secure/images/not-remediated-icon.png
new file mode 100644
index 0000000000..7d99acf323
Binary files /dev/null and b/windows/keep-secure/images/not-remediated-icon.png differ
diff --git a/windows/keep-secure/images/onboardingstate.png b/windows/keep-secure/images/onboardingstate.png
new file mode 100644
index 0000000000..0606e2b2c6
Binary files /dev/null and b/windows/keep-secure/images/onboardingstate.png differ
diff --git a/windows/keep-secure/images/overview.png b/windows/keep-secure/images/overview.png
new file mode 100644
index 0000000000..f8fc37f154
Binary files /dev/null and b/windows/keep-secure/images/overview.png differ
diff --git a/windows/keep-secure/images/portal-image.png b/windows/keep-secure/images/portal-image.png
new file mode 100644
index 0000000000..be59f06fa5
Binary files /dev/null and b/windows/keep-secure/images/portal-image.png differ
diff --git a/windows/keep-secure/images/portal.png b/windows/keep-secure/images/portal.png
new file mode 100644
index 0000000000..7bc1d56ed3
Binary files /dev/null and b/windows/keep-secure/images/portal.png differ
diff --git a/windows/keep-secure/images/portqry.png b/windows/keep-secure/images/portqry.png
new file mode 100644
index 0000000000..227b201d83
Binary files /dev/null and b/windows/keep-secure/images/portqry.png differ
diff --git a/windows/keep-secure/images/proxy-settings.png b/windows/keep-secure/images/proxy-settings.png
new file mode 100644
index 0000000000..717e483a89
Binary files /dev/null and b/windows/keep-secure/images/proxy-settings.png differ
diff --git a/windows/keep-secure/images/psexec-cmd.png b/windows/keep-secure/images/psexec-cmd.png
new file mode 100644
index 0000000000..dd35045531
Binary files /dev/null and b/windows/keep-secure/images/psexec-cmd.png differ
diff --git a/windows/keep-secure/images/remediated-icon.png b/windows/keep-secure/images/remediated-icon.png
new file mode 100644
index 0000000000..89d0890c14
Binary files /dev/null and b/windows/keep-secure/images/remediated-icon.png differ
diff --git a/windows/keep-secure/images/remove-menu.png b/windows/keep-secure/images/remove-menu.png
new file mode 100644
index 0000000000..04c622a051
Binary files /dev/null and b/windows/keep-secure/images/remove-menu.png differ
diff --git a/windows/keep-secure/images/resolve-alert.png b/windows/keep-secure/images/resolve-alert.png
new file mode 100644
index 0000000000..ffd43633fd
Binary files /dev/null and b/windows/keep-secure/images/resolve-alert.png differ
diff --git a/windows/keep-secure/images/rules-legend.png b/windows/keep-secure/images/rules-legend.png
new file mode 100644
index 0000000000..a044d20621
Binary files /dev/null and b/windows/keep-secure/images/rules-legend.png differ
diff --git a/windows/keep-secure/images/run-as-admin.png b/windows/keep-secure/images/run-as-admin.png
new file mode 100644
index 0000000000..f5166b77bc
Binary files /dev/null and b/windows/keep-secure/images/run-as-admin.png differ
diff --git a/windows/keep-secure/images/sc-query-diagtrack.png b/windows/keep-secure/images/sc-query-diagtrack.png
new file mode 100644
index 0000000000..1fd1031ae8
Binary files /dev/null and b/windows/keep-secure/images/sc-query-diagtrack.png differ
diff --git a/windows/keep-secure/images/sc-query-sense-autostart.png b/windows/keep-secure/images/sc-query-sense-autostart.png
new file mode 100644
index 0000000000..814513a98c
Binary files /dev/null and b/windows/keep-secure/images/sc-query-sense-autostart.png differ
diff --git a/windows/keep-secure/images/sc-query-sense-running.png b/windows/keep-secure/images/sc-query-sense-running.png
new file mode 100644
index 0000000000..0e537a3e96
Binary files /dev/null and b/windows/keep-secure/images/sc-query-sense-running.png differ
diff --git a/windows/keep-secure/images/sc-query-sense.png b/windows/keep-secure/images/sc-query-sense.png
new file mode 100644
index 0000000000..0e537a3e96
Binary files /dev/null and b/windows/keep-secure/images/sc-query-sense.png differ
diff --git a/windows/keep-secure/images/sccm-deployment.png b/windows/keep-secure/images/sccm-deployment.png
new file mode 100644
index 0000000000..99d9b858d8
Binary files /dev/null and b/windows/keep-secure/images/sccm-deployment.png differ
diff --git a/windows/keep-secure/images/service-components.png b/windows/keep-secure/images/service-components.png
new file mode 100644
index 0000000000..1dd6cd48ba
Binary files /dev/null and b/windows/keep-secure/images/service-components.png differ
diff --git a/windows/keep-secure/images/settings-icon.png b/windows/keep-secure/images/settings-icon.png
new file mode 100644
index 0000000000..697ba3b0c3
Binary files /dev/null and b/windows/keep-secure/images/settings-icon.png differ
diff --git a/windows/keep-secure/images/settings.png b/windows/keep-secure/images/settings.png
new file mode 100644
index 0000000000..bd9c0ef297
Binary files /dev/null and b/windows/keep-secure/images/settings.png differ
diff --git a/windows/keep-secure/images/sort-order-icon.png b/windows/keep-secure/images/sort-order-icon.png
new file mode 100644
index 0000000000..c3cda66580
Binary files /dev/null and b/windows/keep-secure/images/sort-order-icon.png differ
diff --git a/windows/keep-secure/images/status-tile.png b/windows/keep-secure/images/status-tile.png
new file mode 100644
index 0000000000..8c4b1e3356
Binary files /dev/null and b/windows/keep-secure/images/status-tile.png differ
diff --git a/windows/keep-secure/images/submit-file.png b/windows/keep-secure/images/submit-file.png
new file mode 100644
index 0000000000..63c350c9a9
Binary files /dev/null and b/windows/keep-secure/images/submit-file.png differ
diff --git a/windows/keep-secure/images/suppression-rules.png b/windows/keep-secure/images/suppression-rules.png
new file mode 100644
index 0000000000..cd78d0a860
Binary files /dev/null and b/windows/keep-secure/images/suppression-rules.png differ
diff --git a/windows/keep-secure/images/timeline.png b/windows/keep-secure/images/timeline.png
new file mode 100644
index 0000000000..83ac56f312
Binary files /dev/null and b/windows/keep-secure/images/timeline.png differ
diff --git a/windows/keep-secure/images/value-prop.png b/windows/keep-secure/images/value-prop.png
new file mode 100644
index 0000000000..75291f8d96
Binary files /dev/null and b/windows/keep-secure/images/value-prop.png differ
diff --git a/windows/keep-secure/images/windef-utc-console-start.png b/windows/keep-secure/images/windef-utc-console-start.png
new file mode 100644
index 0000000000..57c2020b04
Binary files /dev/null and b/windows/keep-secure/images/windef-utc-console-start.png differ
diff --git a/windows/keep-secure/images/windefatp-sc-qc-diagtrack.png b/windows/keep-secure/images/windefatp-sc-qc-diagtrack.png
new file mode 100644
index 0000000000..45ad95aeb7
Binary files /dev/null and b/windows/keep-secure/images/windefatp-sc-qc-diagtrack.png differ
diff --git a/windows/keep-secure/images/windefatp-sc-query-diagtrack.png b/windows/keep-secure/images/windefatp-sc-query-diagtrack.png
new file mode 100644
index 0000000000..1fd1031ae8
Binary files /dev/null and b/windows/keep-secure/images/windefatp-sc-query-diagtrack.png differ
diff --git a/windows/keep-secure/images/windefatp-sc-query.png b/windows/keep-secure/images/windefatp-sc-query.png
new file mode 100644
index 0000000000..fd1c05b648
Binary files /dev/null and b/windows/keep-secure/images/windefatp-sc-query.png differ
diff --git a/windows/keep-secure/images/windefatp-utc-console-autostart.png b/windows/keep-secure/images/windefatp-utc-console-autostart.png
new file mode 100644
index 0000000000..99a69e555d
Binary files /dev/null and b/windows/keep-secure/images/windefatp-utc-console-autostart.png differ
diff --git a/windows/keep-secure/images/windows-atp-service-users.png b/windows/keep-secure/images/windows-atp-service-users.png
new file mode 100644
index 0000000000..87c529be50
Binary files /dev/null and b/windows/keep-secure/images/windows-atp-service-users.png differ
diff --git a/windows/keep-secure/images/windows-atp-service.png b/windows/keep-secure/images/windows-atp-service.png
new file mode 100644
index 0000000000..e2175190f4
Binary files /dev/null and b/windows/keep-secure/images/windows-atp-service.png differ
diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..02e10c15b7
--- /dev/null
+++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,62 @@
+---
+title: Investigate Windows Defender Advanced Threat Protection alerts
+description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them.
+keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# Investigate Windows Defender Advanced Threat Protection alerts
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization.
+
+There are three alert severity levels, described in the following table.
+
+Alert severity | Description
+:---|:---
+High (Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
+Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
+Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization.
+
+Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
+
+Alerts are organized in three queues, by their workflow status:
+
+- **New**
+- **In progress**
+- **Resolved**
+
+To begin investigating, click on an alert in [any of the alert queues](alerts-queue-windows-defender-advanced-threat-protection.md).
+
+Details displayed about the alert include:
+- When the alert was last observed
+- Alert description
+- Recommended actions
+- The potential scope of breach
+- The indicators that triggered the alert
+
+
+
+Alerts attributed to an adversary or actor display a colored tile with the actor name.
+
+Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take.
+
+Some actor profiles include a link to download a more comprehensive threat intelligence report.
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..f5864ee6f3
--- /dev/null
+++ b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,50 @@
+---
+title: Investigate Windows Defender Advanced Threat Protection domains
+description: Use the investigation options to see if machines and servers have been communicating with malicious domains.
+keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+# Investigate a domain associated with a Windows Defender ATP alert
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
+
+You can see information from the following sections in the URL view:
+
+- URL details
+- URL in organization
+- Prevalence in organization
+- Communication with URL from organization
+
+The URL address details section shows attributes of the URL such as its contacts and nameservers.
+
+The **URL in organization** section provides details on the prevalence of the URL in the organization.
+
+The **Communication with URL in organization** section provides a chronological view on the events and associated alerts that were observed on the URL.
+
+**Investigate a domain:**
+
+1. Select **URL** from the **Search bar** drop-down menu.
+2. Enter the URL in the **Search** field.
+3. Click the search icon or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from machines in the organization.
+4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
+5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
+
+## Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..3b0b76a04d
--- /dev/null
+++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,135 @@
+---
+title: Investigate Windows Defender Advanced Threat Protection files
+description: Use the investigation options to get details on files associated with alerts, behaviours, or events.
+keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+# Investigate a file associated with a Windows Defender ATP alert
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
+
+You can get information from the following sections in the file view:
+
+- File details
+- Deep analysis
+- File in organization
+- Observed in organization
+
+The file details section shows attributes of the file such as its MD5 hash or number and its prevalence worldwide.
+
+The **Deep analysis** section provides the option of submitting a file for deep analysis to gain detailed visibility on observed suspicious behaviors, and associated artifacts. For more information on submitting files for deep analysis, see the **Deep analysis** topic.
+
+The **File in organization** section provides details on the prevalence of the file and the name observed in the organization.
+
+The **Observed in organization** section provides a chronological view on the events and associated alerts that were observed on the file.
+
+You'll see a list of machines associated with the file and a description of the action taken by the file.
+
+**Investigate a file**
+
+1. Select the file you want to investigate. You can select a file from any of the following views or use the Search box:
+ - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
+ - Machines view - click the file links in the **Description** or **Details** columns in the **Observed on machine** section
+ - Search box - select **File** from the drop-down menu and enter the file name
+2. View the file details.
+3. Use the search filters to define the search criteria. You can also use the timeline search box to further filter displayed search results.
+
+##Deep analysis
+Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
+
+The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
+Deep analysis currently supports extensive analysis of PE (portable executable) files (including _.exe_ and _.dll_ files).
+
+Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk.
+
+Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
+
+## Submit files for analysis
+
+Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
+
+In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
+
+> **Note** Only files from Windows 10 can be automatically collected.
+
+You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
+
+> **Note** Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
+
+When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
+
+**Submit files for deep analysis:**
+
+1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
+ - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
+ - **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section
+ - Search box - select **File** from the drop-down menu and enter the file name
+2. In the **Deep analysis** section of the file view, click **Submit**.
+
+
+
+>**Note** Only portable executable (PE) files are supported, including _.exe_ and _.dll_ files
+
+A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
+
+> **Note** Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
+
+## View deep analysis report
+
+View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
+
+You can view the comprehensive report that provides details on:
+
+- Observed behaviors
+- Associated artifacts
+
+The details provided can help you investigate if there are indications of a potential attack.
+
+**View deep analysis reports:**
+
+1. Select the file you submitted for deep analysis.
+2. Click **See the report below**. Information on the analysis is displayed.
+
+
+
+## Troubleshooting deep analysis
+
+If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
+
+**Troubleshoot deep analysis:**
+
+1. Ensure the file is a PE. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
+2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
+3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
+4. Verify the policy setting enables sample collection and try to submit the file again.
+
+ a. Change the following registry entry and values to change the policy on specific endpoints:
+ ```
+HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
+ Value = 0 - block sample collection
+ Value = 1 - allow sample collection
+```
+5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](additional-configuration-windows-defender-advanced-threat-protection.md#configure-with-group-policy).
+6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
+
+> **Note** If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5e516f6425
--- /dev/null
+++ b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,58 @@
+---
+title: Investigate Windows Defender Advanced Threat Protection IP address
+description: Use the investigation options to examine possible communication between machines and external IP addresses.
+keywords: investigate, investigation, IP address, alert, windows defender atp, external IP
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+# Investigate an IP address associated with a Windows Defender ATP alert
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+
+Examine possible communication between your machines and external internet protocol (IP) addresses.
+
+Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
+
+You can information from the following sections in the IP address view:
+
+- IP address details
+- IP in organization
+- Communication with IP from organization
+
+The IP address details section shows attributes of the IP address such as its ASN and its reverse IPs.
+
+The **IP in organization** section provides details on the prevalence of the IP address in the organization.
+
+The **Communication with IP in organization** section provides a chronological view on the events and associated alerts that were observed on the IP address.
+
+**Investigate an external IP:**
+
+1. Select **IP** from the **Search bar** drop-down menu.
+2. Enter the IP address in the **Search** field.
+3. Click the search icon or press **Enter**.
+
+Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of machines in the organization that communicated with this IP Address (during selectable time period), and the machines in the organization that were observed communicating with this IP address.
+
+> **Note** Search results will only be returned for IP addresses observed in communication with machines in the organization.
+
+Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.
+
+Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.
+
+## Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..a248e46dd3
--- /dev/null
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,152 @@
+---
+title: Investigate machines in the Windows Defender ATP Machines view
+description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view.
+keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, active malware detections, threat category, filter, sort, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, low severity
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Investigate machines in the Windows Defender ATP Machines view
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network.
+
+Use the Machines view in these two main scenarios:
+
+- **During onboarding**
+ - During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report telemetry. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported telemetry, or download the complete endpoint list as a CSV file for offline analysis.
+- **Day-to-day work**
+ - The **Machines view** enables you to identify machines that are most at risk in a glance. High-risk machines are those with the greatest number and highest-severity alerts. By sorting the machines by risk, you'll be able to identify the most vulnerable machines and take action on them.
+
+The Machines view contains the following columns:
+
+- **Machine name** - the name or GUID of the machine
+- **Domain** - the domain the machine belongs to
+- **Last seen** - when the machine last reported telemetry
+- **Internal IP** - the local internal Internet Protocol (IP) address of the machine
+- **Active Alerts** - the number of alerts reported by the machine by severity
+- **Active malware detections** - the number of active malware detections reported by the machine
+
+> **Note** The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+
+Click any column header to sort the view in ascending or descending order.
+
+
+
+You can sort the **Machines view** by **Machine name**, **Last seen**, **IP**, **Active Alerts**, and **Active malware detections**. Scroll down the **Machines view** to see additional machines.
+
+The view contains two filters: time and threat category.
+
+You can filter the view by the following time periods:
+
+- 1 day
+- 3 days
+- 7 days
+- 30 days
+- 6 months
+
+> **Note** When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period.
+
+The threat category filter lets you filter the view by the following categories:
+
+- Password stealer
+- Ransomware
+- Exploit
+- Threat
+- Low severity
+
+See the [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections) topic for a description of each category.
+
+You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon  to download the entire list as a CSV file.
+
+ **Note**: Exporting the list depends on the number of machines in your organization. It can take a significant amount of time to download, depending on how large your organization is.
+Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
+
+## Investigate a machine
+Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach.
+
+You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
+
+- The [Machines view](#Investigate-machines-in-the-Windows-Defender-ATP-Machines-view)
+- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- Any individual alert
+- Any individual file details view
+- Any IP address or domain details view
+
+When you investigate a specific machine, you'll see:
+
+- **Machine details**, **Machine IP Addresses**, and **Machine Reporting**
+- **Alerts related to this machine**
+- **Machine timeline**
+
+The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting telemetry to the Windows Defender ATP service.
+
+The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date that the alert was detected, a short description of the alert, the alert's severity, the alert's threat category, and the alert's status in the queue.
+
+The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine.
+
+You'll see an aggregated view of alerts, a short description of the alert, details on the action taken, and which user ran the action. This helps you see significant activities or behaviors that occurred on a machine within your network in relation to a specific time frame. Several icons are used to identify various detections and their current state. For more information, see [Windows Defender ATP icons](portal-overview-windows-defender-advanced-threat-protection.md#windows-defender-atp-icons).
+
+This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
+
+
+
+Use the search bar to look for specific alerts or files associated with the machine.
+
+You can also filter by:
+
+- Signed or unsigned files
+- Detections mode: displays Windows ATP Alerts and detections
+- Behaviors mode: displays "detections" and selected events of interest
+- Verbose mode: displays "behaviors" (including "detections"), and all reported events
+- Logged on users, System, Network, or Local service
+
+Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day.
+
+Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and older.
+
+The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the **Alerts view** and click on the machine associated with the alert to jump to the specific date when the alert was observed, enabling you to investigate the events that took place around the alert.
+
+From the **Machine view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line.
+
+From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure.
+
+Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
+
+
+
+**Investigate a machine:**
+
+1. Select the machine that you want to investigate. You can select or search a machine from any of the following views:
+ - **Dashboard** - click the machine name from the **Top machines with active alerts** section
+ - **Alerts queue** - click the machine name beside the machine icon
+ - **Machines view** - click the heading of the machine name
+ - **Search box** - select **Machine** from the drop-down menu and enter the machine name
+2. Information about the specific machine is displayed.
+
+
+**Use the machine timeline**
+
+1. Use the sort and filter feature to narrow down the search results.
+2. Use the timeline search box to filter specific indicators that appear in the machine timeline.
+3. Click the expand icon  in the timeline row or click anywhere on the row to see additional information about the alert, behavior, or event.
+
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..12cc2527bd
--- /dev/null
+++ b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,141 @@
+---
+title: Manage Windows Defender Advanced Threat Protection alerts
+description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu.
+keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# Manage Windows Defender Advanced Threat Protection alerts
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
+
+See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts) topic for more details on how to investigate alerts.
+
+Click the **Manage Alert** menu icon  on the top of the alert to access the Manage Alert menu and manage alerts.
+
+
+
+The **Manage alert** icon appears on the alert's heading in the **New**, **In Progress**, or **Resolved** queues, and on the details page for individual alerts.
+
+You can use the **Manage Alert** menu to:
+
+- Change the status of an alert
+- Resolve an alert
+- Suppress alerts so they won't show up in the **Alerts queue** from this point onwards
+- View the history and comments of an alert
+
+## Change the status of an alert
+
+You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.
+
+For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
+
+Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
+
+**Change an alert's status:**
+
+1. Click the **Manage Alert** menu icon  on the heading of the alert.
+2. Choose the new status for the alert (the current status is highlighted in bold and appears on the alert).
+
+## Resolve an alert
+
+You can resolve an alert by changing the status of the alert to **Resolved**. This causes the **Resolve conclusion** window to appear, where you can indicate why the alert was resolved and enter any additional comments.
+
+
+
+The comments and change of status are recorded in the [Comments and history window](#view-history-and-comments).
+
+
+
+
+## Suppress alerts
+
+Windows Defender ATP lets you create suppression rules so you can limit the alerts you see in the **Alerts queue**.
+
+Suppression rules can be created from an existing alert.
+
+When a suppression rule is created, it will take effect from this point onwards. It will not affect existing alerts already in the queue, but new alerts triggered after the rule is created will not be displayed.
+
+There are two contexts for a suppression rule that you can choose from:
+
+- **Suppress alert on this machine**
+- **Suppress alert in my organization**
+
+The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule:
+
+**Context** | **Definition** |**Example scenarios**
+---|---|---
+**Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed.
All other alerts on that machine will not be suppressed. | - A security researcher is investigating a malicious script that has been used to attack other machines in your organization.
- A developer regularly creates PowerShell scripts for their team.
+**Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | - A benign administrative tool is used by everyone in your organization.
+
+
+**Suppress an alert and create a suppression rule:**
+
+1. Click the **Manage Alert** menu icon  on the heading of an existing alert.
+2. Choose the context for suppressing the alert.
+
+> **Note** You cannot create a custom or blank suppression rule. You must start from an existing alert.
+
+**See the list of suppression rules:**
+
+1. Click the settings icon  on the main menu bar at the top of the Windows Defender ATP screen.
+2. Click **Suppression rules**.
+
+ 
+
+> **Note** You can also click **See rules** in the confirmation window that appears when you suppress an alert.
+
+The list of suppression rules shows all the rules that users in your organization have created.
+Each rule shows:
+
+- (1) The title of the alert that is suppressed
+- (2) Whether the alert was suppressed for a single machine (clicking the machine name will allow you to investigate the machine) or the entire organization
+- (3) The date when the alert was suppressed
+- (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards.
+
+
+
+## View the history and comments of an alert
+You can use the **Manage Alert** menu icon  to see a list of previous changes and comments made to the alert and to add new comments. You can also use the menu to open multiple alerts in different tabs so you can compare several alerts at the same time.
+
+Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** window.
+
+**See the history of an alert and its comments:**
+
+1. Click the **Manage Alert** menu icon  on the heading of the alert.
+2. Click **Comments and history** to view related comments and history on the alert.
+
+Comments are indicated by a message box icon () and include the username of the commenter and the time the comment was made.
+
+**Add a new comment:**
+
+1. Type your comment into the field.
+2. Click **Post Comment**.
+
+The comment will appear instantly.
+
+You will also be prompted to enter a comment if you change the status of an alert to **Resolved**.
+
+Changes are indicated by a clock icon (), and are automatically recorded when:
+
+- The alert is created
+- The status of the alert is changed
+
+### Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index af9f471ce3..ec41aa5d9a 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -33,7 +33,7 @@ When a user encounters an error when creating the work PIN, advise the user to t
1. Try to create the PIN again. Some errors are transient and resolve themselves.
-2. Log out, log in, and try to create the PIN again.
+2. Sign out, sign in, and try to create the PIN again.
3. Reboot the device and then try to create the PIN again.
@@ -44,11 +44,7 @@ When a user encounters an error when creating the work PIN, advise the user to t
If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
-
-
-
-
-
+
-
-| 0x801C03ED |
-Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed
--or-
-Token was not found in the Authorization header
--or-
-Failed to read one or more objects |
-Unjoin the device from Azure Active Directory (Azure AD) and rejoin |
-
+
| 0x801C044D |
Authorization token does not contain device ID |
Unjoin the device from Azure AD and rejoin |
+
| 0x80090036 |
User cancelled an interactive dialog |
@@ -95,6 +84,10 @@ If the error occurs again, check the error code against the following table to s
0x80090005 |
NTE_BAD_DATA |
Unjoin the device from Azure AD and rejoin |
+
+| 0x80090029 |
+TPM is not set up. |
+Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
| 0x80090031 |
@@ -124,17 +117,17 @@ If the error occurs again, check the error code against the following table to s
| 0x801C0010 |
The AIK certificate is not valid or trusted |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C0011 |
The attestation statement of the transport key is invalid |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C0012 |
Discovery request is not in a valid format |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C0015 |
@@ -159,7 +152,7 @@ If the error occurs again, check the error code against the following table to s
| 0x801C03E9 |
Server response message is invalid |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C03EA |
@@ -169,37 +162,42 @@ If the error occurs again, check the error code against the following table to s
| 0x801C03EB |
Server response http status is not valid |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C03EC |
Unhandled exception from server. |
-Log out and then log in again. |
+sign out and then sign in again. |
| 0x801C03ED |
-The request sent to the server was invalid. |
-Log out and then log in again. |
+Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed
+-or-
+Token was not found in the Authorization header
+-or-
+Failed to read one or more objects
+-or- The request sent to the server was invalid. |
+Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin. |
| 0x801C03EE |
Attestation failed |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C03EF |
The AIK certificate is no longer valid |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C044D |
Unable to obtain user token |
-Log out and then log in again. Check network and credentials. |
+Sign out and then sign in again. Check network and credentials. |
| 0x801C044E |
Failed to receive user creds input |
-Log out and then log in again. |
+Sign out and then sign in again. |
@@ -214,6 +212,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
| Hex | Cause |
|-------------|-------------------------------------------------------------------------------------------------------|
| 0x80072f0c | Unknown |
+| 0x80070057 | Invalid parameter or argument is passed |
| 0x80090027 | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
| 0x8009002D | NTE\_INTERNAL\_ERROR |
| 0x80090020 | NTE\_FAIL |
diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
index d2d62ba501..ab603ccb7a 100644
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -4,6 +4,7 @@ description: This guide describes the new Windows Hello and Microsoft Passport t
ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84
keywords: ["security", "credential", "password", "authentication"]
ms.prod: W10
+ms.pagetype: security
ms.mktglfcycl: plan
ms.sitesec: library
author: challum
@@ -405,7 +406,7 @@ Table 1. Deployment requirements for Microsoft Passport
-Note that the current release of Windows 10 supports the Azure AD–only scenarios. Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
+Note that the current release of Windows 10 supports the Azure AD–only (RTM) and hybrid scenarios (RTM + November Update). Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
**Select policy settings**
@@ -465,17 +466,19 @@ In the Windows 10 initial release, Microsoft supports the following Microsoft P
- Microsoft Passport for Work support for organizations that have cloud-only Azure AD deployments
-- Group Policy settings to control Microsoft Passport PIN length and complexity
+- Group Policy and MDM settings to control Microsoft Passport PIN length and complexity
+
+In the November 2015 release, Microsoft supports the following Microsoft Passport and Windows Hello features:
+
+- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
+
+- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
In future releases of Windows 10, we plan to add support for additional features:
-- Additional biometric identifier types, including iris recognition
-
-- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
-
-- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
-
-- TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
+- Key-based and certificate-based Microsoft Passport for Work credentials for on-premises AD deployments
+
+- TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
In the longer term, Microsoft will continue to improve on and expand the features of both Microsoft Passport and Windows Hello to cover additional customer requirements for manageability and security. We also are working with the FIDO Alliance and a variety of third parties to encourage adoption of Microsoft Passport by both web and LOB application developers.
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..fa17f2947f
--- /dev/null
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,56 @@
+---
+title: Minimum requirements for Windows Defender Advanced Threat Protection
+description: Minimum network and data storage configuration, endpoint hardware and software requirements, and deployment channel requirements for Windows Defender ATP.
+keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, endpoint, endpoint configuration, deployment channel
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: iaanw
+---
+
+# Minimum requirements for Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+There are some minimum requirements for onboarding your network and endpoints.
+
+## Minimum requirements
+
+### Network and data storage and configuration requirements
+
+
+
+
+When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in either a European or United States datacenter.
+
+> **Notes**
+- You cannot change your data storage location after the first-time setup.
+- Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
+
+### Endpoint hardware and software requirements
+Endpoints on your network must be running Windows 10 Insider Preview Build 14332 or later. The hardware requirements for Windows Defender ATP on endpoints is the same as those for Windows 10 Insider Preview Build 14332 or later.
+
+> **Note** Endpoints that are running Windows Server and mobile versions of Windows are not supported.
+
+Internet connectivity on endpoints is also required. See [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) for additional proxy configuration settings.
+
+Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section.
+
+### Deployment channel operating system requirements
+
+You can choose to onboard endpoints with a scheduled Group Policy (GP) or System Center Configuration Manager (SCCM) update (using a configuration package that you download from the portal or during the service onboarding wizard), or by manually running a script to modify the registry.
+
+The following describes the minimum operating system or software version
+required for each deployment channel.
+
+Deployment channel | Minimum server requirements
+:---|:---
+Group Policy settings | Windows Server 2008 R2
+System Center Configuration Manager | SCCM 2012
+Manual (script) | No minimum requirements
diff --git a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..67ff38e86d
--- /dev/null
+++ b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,65 @@
+---
+title: Monitor Windows Defender ATP onboarding
+description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
+keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Monitor Windows Defender Advanced Threat Protection onboarding
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14322 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You can monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
+
+You might need to monitor the onboarding if the package did not configure the registry correctly, or the reporting client did not start or execute correctly.
+
+Monitoring can be done directly on the portal, or by using System Center Configuration Manager (SCCM).
+
+## Monitor with the portal
+
+1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
+
+2. Click **Machines view**.
+
+3. Verify that endpoints are appearing.
+
+
+> **Note** It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
+
+## Monitor with System Center Configuration Manager
+
+Monitoring with SCCM consists of two parts:
+
+1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
+
+2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
+
+**To confirm the configuration package has been correctly deployed:**
+
+1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
+
+2. Click **Overview** and then **Deployments**.
+
+3. Click on the deployment with the package name.
+
+4. Review the status indicators under **Completion Statistics** and **Content Status**.
+
+If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
+
+
+
+## Related topics
+
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..baf6178433
--- /dev/null
+++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,40 @@
+---
+title: Onboard endpoints and set up the Windows Defender ATP user access
+description: Set up user access in Azure Active Directory and use Group Policy, SCCM, or do manual registry changes to onboard endpoints to the service.
+keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: iaanw
+---
+
+# Onboard and set up Windows Defender Advanced Threat Protection
+
+**Applies to:**
+
+- Windows 10 TAP program
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You need to onboard to Windows Defender ATP before you can use the service.
+
+
+
+
+
+## In this section
+Topic | Description
+:---|:---
+[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn how you can use the configuration package to configure endpoints in your enterprise.
+[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
+[Additional configuration settings] (additional-configuration-windows-defender-advanced-threat-protection.md) | Learn how to configure settings for sample sharing used in the deep analysis feature.
+[Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) | Learn how you can monitor the onboarding to ensure your endpoints are correctly configured and are sending telemetry reports.
+[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.
diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..b5dae385ac
--- /dev/null
+++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,68 @@
+---
+title: Windows Defender Advanced Threat Protection portal overview
+description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
+keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, client onboarding, advanced attacks
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: DulceMV
+---
+
+# Windows Defender Advanced Threat Protection portal overview
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+
+Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
+
+You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
+- View, sort, and triage alerts from your endpoints
+- Search for more information on observed indicators such as files and IP Addresses
+- Change Windows Defender ATP settings, including time zone and alert suppression rules
+
+## Windows Defender ATP portal
+When you open the portal, you’ll see the main areas of the application:
+- (1) Settings
+- (2) Navigation pane
+- (3) Main portal
+- (4) Search bar
+
+
+ 
+
+> **Note** Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+
+You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
+
+Area | Description
+:---|:---
+(1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information.
+(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Client onboarding**.
+**Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
+**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
+**Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
+**Preferences setup**| Shows the settings you selected and lets you update your industry preferences and retention policy period.
+**Client onboarding**| Allows you to download the onboarding configuration package.
+(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
+(4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type.
+
+## Windows Defender ATP icons
+The following table provides information on the icons used all throughout the portal:
+
+Icon | Description
+:---|:---
+| Alert – Indication of an activity correlated with advanced attacks.
+| Detection – Indication of a malware threat detection.
+| Active threat – Threats actively executing at the time of detection.
+| Remediated – Threat removed from the machine
+| Not remediated – Threat not removed from the machine.
+
+
+### Related topic
+[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md
index 81f5647bf1..741e8c2005 100644
--- a/windows/keep-secure/security-technologies.md
+++ b/windows/keep-secure/security-technologies.md
@@ -10,60 +10,19 @@ author: brianlic-msft
# Security technologies
-
Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
-## In this section
-
-
-
-
-
-
-
-
-
-
-
-
-[AppLocker](applocker-overview.md) |
-This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. |
-
-
-[BitLocker](bitlocker-overview.md) |
-This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. |
-
-
-[Encrypted Hard Drive](encrypted-hard-drive.md) |
-Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
-
-
-[Security auditing](security-auditing-overview.md) |
-Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. |
-
-
-[Security policy settings](security-policy-settings.md) |
-This reference topic describes the common scenarios, architecture, and processes for security settings. |
-
-
-[Trusted Platform Module](trusted-platform-module-overview.md) |
-This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM. |
-
-
-[User Account Control](user-account-control-overview.md) |
-User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
-
-
-[Windows Defender in Windows 10](windows-defender-in-windows-10.md) |
-This topic provides an overview of Windows Defender, including a list of system requirements and new features. |
-
-
-
-
-
+| Topic | Description |
+|-|-|
+| [AppLocker](applocker-overview.md)| This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.|
+| [BitLocker](bitlocker-overview.md)| This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.|
+| [Encrypted Hard Drive](encrypted-hard-drive.md) | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
+| [Security auditing](security-auditing-overview.md)| Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.|
+| [Security policy settings](security-policy-settings.md)| This reference topic describes the common scenarios, architecture, and processes for security settings.|
+| [Trusted Platform Module](trusted-platform-module-overview.md)| This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.|
+| [User Account Control](user-account-control-overview.md)| User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
+| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Windows Defender Advanced Threat Protection (Windows Defender ATP) is an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
+| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| This topic provides an overview of Windows Defender, including a list of system requirements and new features.|
diff --git a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..1be3c1bfe6
--- /dev/null
+++ b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,120 @@
+---
+title: Windows Defender ATP service onboarding
+description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal.
+keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users,
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Windows Defender ATP service onboarding
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Azure Active Directory
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You have to assign users to the Windows Defender ATP Service application in Azure Active Directory (AAD) before they can access the portal.
+
+**Manage user access to the Windows Defender ATP portal**:
+
+1. When you first go to the [Windows Defender ATP portal](https://securitycenter.windows.com/) and your directory does not
+ have users assigned to the Windows ATP Service application, you will
+ be directed to open the [Microsoft Azure Dashboard](https://portal.azure.com) to manage user access.
+
+ > **Note** In AAD, a directory is essentially a tenant. See the [Azure AD documentation](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx) for more information on how tenants work with AAD.
+
+2. Ensure you have logged in to Microsoft Azure with an account that
+ has permissions to assign users to an application in AAD. You might
+ need to sign out of Microsoft Azure and then sign back in again if
+ you used a different account to sign in to the Windows Defender ATP
+ portal:
+
+ a. On the top menu, click the signed-in user’s name.
+
+ b. Click **Sign out**.
+
+ 
+
+ c. Go the [Microsoft Azure Dashboard](https://portal.azure.com) again where you will be asked to sign in.
+
+ d. Sign in with the correct user name and password for an account that has permissions to assign users in AAD.
+
+3. On the **Microsoft Azure Dashboard**, click **Browse** in the navigation pane and then click **Active Directory** to open the [Azure Management Portal](https://manage.windowsazure.com/).
+
+ 
+
+4. You might need to open the **Directory** section of the [Azure Management Portal](https://manage.windowsazure.com/) so you can access your directory. There are two ways you can do this:
+
+ a. Click the arrow icon above the list of directories to see the full list of directories in the main area of the portal.
+
+ 
+
+ b. Scroll down in the navigation pane and click **Active Directory**.
+
+ 
+
+5. Click the directory that contains the Windows Defender ATP application. In the following example, the directory is
+ called **Contoso**.
+
+ 
+
+ > **Note** You can also access your directory by going straight to the [Azure Management Portal](https://manage.windowsazure.com/), clicking Active Directory and then finding your directory in the list.
+
+6. Click **Applications** from the top menu bar.
+
+ 
+
+7. Click the **Windows ATP Service** application. The dashboard for the application is shown.
+
+ 
+
+ > **Note** The application might have a slightly different name than the one shown here. It might be called **Windows Defender ATP Service**.
+
+8. Click **Users** from the top menu bar. A list of users that are in the directory is displayed.
+
+ 
+
+ 
+
+ > **Note** If you do not normally work with AAD, you might not see any users in the directory, or we might have created a test tenant specifically for a single user’s account. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section for instructions on adding users to a directory.
+
+9. Select the user you want manage.
+
+10. Click **Assign**.
+
+11. Confirm that you want to enable access for the user from the notification bar. If you click **Yes**, the user is given access to the Windows Defender ATP portal. One or more progress bars will appear that indicates the user is being assigned a role, and you will see confirmation messages. You don’t need to do anything with the messages, they will go away after a short period of time.
+
+ 
+
+12. To remove the user's access, click **Remove**.
+
+13. Select the **Disable access to this app for the selected users** checkbox, and then click **Complete** . One or more progress bars will appear, followed by confirmation messages. The messages will disappear after a short period.
+
+ 
+
+14. To remove the access for all users, click **Manage access**. If you click **Complete** , you will not see the Windows ATP Service in the list of applications in your directory.
+
+ > **Note** If you want to give access to users again, see the Manage access for all users in Azure Active Directory topic in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
+
+15. You can continue assigning roles for other users in your organization now, or you can return to the Windows Defender ATP portal to complete the service onboarding wizard.
+
+ > **Note** You need to assign roles for every user in your organization that requires access to the Windows Defender ATP portal. You can assign roles at any time by going to the Azure Management Portal, clicking **Active Directory**, and then finding your directory in the list and following the steps above.
+
+When you have finished assigning roles, return to the [Windows Defender ATP portal](https://securitycenter.windows.com) and refresh the
+page.
+
+Follow the steps in the onboarding wizard to complete the onboarding process.
+
+At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Client onboarding** menu on the portal after you have completed the onboarding wizard.
+
+## Related topics
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..f976f74857
--- /dev/null
+++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,57 @@
+---
+title: Windows Defender Advanced Threat Protection settings
+description: Use the menu to configure the time zone, suppression rules, and view license information.
+keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license, suppression rules
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: DulceMV
+---
+
+# Windows Defender Advanced Threat Protection settings
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Use the **Settings** menu  to configure the time zone, suppression rules, and view license information.
+
+## Time zone settings
+The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
+
+Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It’s important that your system reflects the correct time zone settings.
+
+Windows Defender ATP can display either Coordinated Universal Time (UTC) or local time.
+
+Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Settings** menu .
+
+### UTC time zone
+Windows Defender ATP uses UTC time by default.
+
+Setting the Windows Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. Choosing this setting means that all users will see the same timestamps in Windows Defender ATP, regardless of their regional settings. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
+
+### Local time zone
+You can choose to have Windows Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone.
+
+The local time zone is taken from your machine’s regional settings. If you change your regional settings, the Windows Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in Windows Defender ATP will be aligned to local time for all Windows Defender ATP users. Analysts located in different global locations will now see the Windows Defender ATP alerts according to their regional settings.
+
+Choosing to use local time can be useful if the analysts are located in a single location. In this case it might be easier to correlate events to local time, for example – when a local user clicked on a suspicious email link.
+
+### Set the time zone
+The Windows Defender ATP time zone is set by default to UTC.
+Setting the time zone also changes the times for all Windows Defender ATP views.
+To set the time zone:
+
+1. Click the **Settings** menu .
+2. Select the **Timezone:UTC** indicator.
+3. The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**.
+
+## Suppression rules
+The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. See [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
+
+## License
+Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..09251bb1f6
--- /dev/null
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,369 @@
+---
+title: Troubleshoot Windows Defender ATP onboarding issues
+description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service.
+keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, telemetry and diagnostics
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: iaanw
+---
+
+# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You might need to troubleshoot the Windows Defender Advanced Threat Protection onboarding process if you encounter issues.
+This page provides detailed steps for troubleshooting endpoints that aren't reporting correctly, and common error codes encountered during onboarding.
+
+## Endpoints are not reporting to the service correctly
+
+If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after 20 minutes, it might indicate an endpoint onboarding or connectivity problem.
+
+Go through the following verification topics to address this issue:
+
+- [Ensure the endpoint is onboarded successfully](#Ensure-that-the-endpoint-is-onboarded-successfully)
+- [Ensure the Windows Defender ATP service is enabled](#Ensure-that-the-Windows-Defender-ATP-service-is-enabled)
+- [Ensure the telemetry and diagnostics service is enabled](#Ensure-that-telemetry-and-diagnostics-service-is-enabled)
+- [Ensure the endpoint has an Internet connection](#Ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection)
+
+
+### Ensure the endpoint is onboarded successfully
+If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service was successfully onboarded onto the endpoint.
+
+**Check the onboarding state in Registry**:
+
+1. Click **Start**, type **Run**, and press **Enter**
+
+2. From the **Run** dialog box, type **regedit** and press **Enter**.
+
+4. In the **Registry Editor** navigate to the Status key under:
+
+ ```text
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection
+```
+
+5. Check the **OnboardingState** value is set to **1**.
+
+ 
+
+If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint.
+
+**Use Event Viewer to identify and adress onboarding errors**:
+
+1. Click **Start**, type **Event Viewer**, and press **Enter**.
+
+2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
+
+ > **Note** SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+
+3. Select **Operational** to load the log.
+
+4. In the **Action** pane, click **Filter Current log**.
+
+5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
+
+ 
+
+6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
+
+Event ID | Message | Resolution steps
+:---|:---|:---
+5 | Windows Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+6 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+7 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then [run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+15 | Windows Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+
+
+### Ensure the Windows Defender ATP service is enabled
+If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service is set to automatically start and is running on the endpoint.
+
+You can use the SC command line program for checking and managing the startup type and running state of the service.
+
+**Check the Windows Defender ATP service startup type from the command line:**
+
+1. Open an elevated command-line prompt on the endpoint:
+
+ a. Click **Start**, type **cmd**, and press **Enter**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+
+ ```text
+ sc qc sense
+ ```
+
+If the the service is running, then the result should look like the following screenshot:
+
+ 
+
+If the service **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+
+**Change the Windows Defender ATP service startup type from the command line:**
+
+1. Open an elevated command-line prompt on the endpoint:
+
+ a. Click **Start**, type **cmd**, and press **Enter**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+
+ ```text
+ sc config sense start=auto
+ ```
+
+3. A success message is displayed. Verify the change by entering the following command and press **Enter**:
+
+ ```text
+ sc qc sense
+ ```
+
+**Check the Windows Defender ATP service is running from the command line:**
+
+1. Open an elevated command-line prompt on the endpoint:
+
+ a. Click **Start**, type **cmd**, and press **Enter**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+
+ ```text
+ sc query sense
+ ```
+
+If the service is running, the result should look like the following screenshot:
+
+
+
+If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
+
+**Start the Windows Defender ATP service from the command line:**
+
+1. Open an elevated command-line prompt on the endpoint:
+
+ a. Click **Start**, type **cmd**, and press **Enter**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+
+ ```text
+ sc start sense
+ ```
+
+3. A success message is displayed. Verify the change by entering the following command and press **Enter**:
+
+ ```text
+ sc qc sense
+ ```
+
+### Ensure the telemetry and diagnostics service is enabled
+If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service may have been disabled by other programs or user configuration changes.
+
+
+First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
+
+### Ensure the service is set to start
+
+**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
+
+1. Open an elevated command-line prompt on the endpoint:
+
+ a. Click **Start**, type **cmd**, and press **Enter**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+
+ ```text
+ sc qc diagtrack
+ ```
+
+If the service is enabled, then the result should look like the following screenshot:
+
+
+
+If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+
+
+
+**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
+
+1. Open an elevated command-line prompt on the endpoint:
+
+ a. Click **Start**, type **cmd**, and press **Enter**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+
+ ```text
+ sc config diagtrack start=auto
+ ```
+
+3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
+
+ ```text
+ sc qc diagtrack
+ ```
+
+**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service startup type**:
+
+1. Open the services console:
+
+ a. Click **Start** and type **services**.
+
+ b. Press **Enter** to open the console.
+
+2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
+
+3. Check the **Startup type** column - the service should be set as **Automatic**.
+
+If the startup type is not set to **Automatic**, you'll need to change it so the service starts when the endpoint does.
+
+
+**Use the Windows Services console to set the Windows 10 telemetry and diagnostics service to automatically start:**
+
+1. Open the services console:
+
+ a. Click **Start** and type **services**.
+
+ b. Press **Enter** to open the console.
+
+2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
+
+3. Right-click on the entry and click **Properties**.
+
+4. On the **General** tab, change the **Startup type:** to **Automatic**, as shown in the following image. Click OK.
+
+ 
+
+### Ensure the service is running
+
+**Use the command line to check the Windows 10 telemetry and diagnostics service is running**:
+
+1. Open an elevated command-line prompt on the endpoint:
+
+ a. **Click **Start** and type **cmd**.**
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+
+ ```text
+ sc query diagtrack
+ ```
+
+If the service is running, the result should look like the following screenshot:
+
+
+
+If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
+
+
+**Use the command line to start the Windows 10 telemetry and diagnostics service:**
+
+1. Open an elevated command-line prompt on the endpoint:
+
+ a. **Click **Start** and type **cmd**.**
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+
+ ```text
+ sc start diagtrack
+ ```
+
+3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
+
+ ```text
+ sc query diagtrack
+ ```
+
+**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service is running**:
+
+1. Open the services console:
+
+ a. Click **Start** and type **services**.
+
+ b. Press **Enter** to open the console.
+
+2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
+
+3. Check the **Status** column - the service should be marked as **Running**.
+
+If the service is not running, you'll need to start it.
+
+
+**Use the Windows Services console to start the Windows 10 telemetry and diagnostics service:**
+
+1. Open the services console:
+
+ a. Click **Start** and type **services**.
+
+ b. Press **Enter** to open the console.
+
+2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
+
+3. Right-click on the entry and click **Start**, as shown in the following image.
+
+
+
+
+### Ensure the endpoint has an Internet connection
+
+The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
+
+WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
+
+To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic.
+
+If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
+
+
+
+## Related topics
+
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..1d15cf5dd7
--- /dev/null
+++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,63 @@
+---
+title: Troubleshoot Windows Defender Advanced Threat Protection
+description: Find solutions and work arounds to known issues such as server errors when trying to access the service.
+keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+# Troubleshoot Windows Defender Advanced Threat Protection
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
+
+### Server error - Access is denied due to invalid credentials
+If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
+Configure your browser to allow cookies.
+
+### No data is shown on the portal
+If no data is displayed on the Dashboard portal even if no errors were encountered in the portal logs or in the browser console, you'll need to whitelist the threat intelligence, data access, and detonation endpoints that also use this protocol.
+
+Depending on your region, add the following endpoints to the whitelist:
+
+U.S. region:
+
+- daasmon-cus-prd.cloudapp.net
+- daasmon-eus-prd.cloudapp.net
+- dataaccess-cus-prd.cloudapp.net
+- dataaccess-eus-prd.cloudapp.net
+- onboardingservice-prd.trafficmanager.net
+- sevillefeedback-prd.trafficmanager.net
+- sevillesettings-prd.trafficmanager.net
+- threatintel-cus-prd.cloudapp.net
+- threatintel-eus-prd.cloudapp.net
+
+
+
+EU region:
+
+- dataaccess-neu-prd.cloudapp.net
+- dataaccess-weu-prd.cloudapp.net
+- onboardingservice-prd.trafficmanager.net
+- sevillefeedback-prd.trafficmanager.net
+- sevillesettings-prd.trafficmanager.net
+- threatintel-neu-prd.cloudapp.net
+- threatintel-weu-prd.cloudapp.net
+
+
+### Windows Defender ATP service shows event or error logs in the Event Viewer
+
+See the topic [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors.
+
+
+### Related topic
+- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+- [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..dd0fc24f67
--- /dev/null
+++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,45 @@
+---
+title: Use the Windows Defender Advanced Threat Protection portal
+description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
+keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Use the Windows Defender Advanced Threat Protection portal
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+A typical security breach investigation requires a member of a security operations team to:
+
+1. View an alert on the **Dashboard** or **Alerts queue**
+2. Review the indicators of compromise (IOC) or indications of attack (IOAs)
+3. Review a timeline of alerts, behaviors, and events from the machine
+4. Manage alerts, understand the threat or potential breach, collect information to support taking action, and resolve the alert
+
+
+
+Security operation teams can use Windows Defender ATP portal to carry out this end-to-end process without having to leave the portal.
+
+Teams can monitor the overall status of enterprise endpoints from the **Dashboard**, gain insight on the various alerts, their category, when they were observed, and how long they’ve been in the network at a glance.
+
+### In this section
+
+Topic | Description
+:---|:---
+[View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
+[View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues.
+[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
+[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
+[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
+[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external internet protocol (IP) addresses.
+[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
+[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
new file mode 100644
index 0000000000..8da09ab38e
--- /dev/null
+++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
@@ -0,0 +1,195 @@
+---
+title: User Account Control Group Policy and registry key settings (Windows 10)
+description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# User Account Control Group Policy and registry key settings
+
+**Applies to**
+
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+## Group Policy settings
+There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).
+
+
+| Group Policy setting | Registry key | Default |
+| - | - | - | - |
+| [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
+| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
+| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
+| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials on the secure desktop |
+| [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home)
Disabled (default for enterprise) |
+| [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled |
+| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled |
+| [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Enabled |
+| [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Enabled |
+| [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | Enabled |
+
+### User Account Control: Admin Approval Mode for the built-in Administrator account
+
+The **User Account Control: Admin Approval Mode for the built-in Administrator account** policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
+
+The options are:
+
+- **Enabled.** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
+- **Disabled.** (Default) The built-in Administrator account runs all applications with full administrative privilege.
+
+
+### User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
+
+The **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
+The options are:
+
+- **Enabled.** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+- **Disabled.** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting.
+
+UIA programs are designed to interact with Windows and application programs on behalf of a user. This policy setting allows UIA programs to bypass the secure desktop to increase usability in certain cases; however, allowing elevation requests to appear on the interactive desktop instead of the secure desktop can increase your security risk.
+
+UIA programs must be digitally signed because they must be able to respond to prompts regarding security issues, such as the UAC elevation prompt. By default, UIA programs are run only from the following protected paths:
+
+- ...\\Program Files, including subfolders
+- ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
+- ...\\Windows\\System32
+
+The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting disables the requirement to be run from a protected path.
+
+While this policy setting applies to any UIA program, it is primarily used in certain remote assistance scenarios, including the Windows Remote Assistance program in Windows 7.
+
+If a user requests remote assistance from an administrator and the remote assistance session is established, any elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator's session during elevation requests, the user may select the **Allow IT Expert to respond to User Account Control prompts** check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
+
+If you enable this policy setting, requests for elevation are automatically sent to the interactive desktop (not the secure desktop) and also appear on the remote administrator's view of the desktop during a remote assistance session. This allows the remote administrator to provide the appropriate credentials for elevation.
+
+This policy setting does not change the behavior of the UAC elevation prompt for administrators.
+
+If you plan to enable this policy setting, you should also review the effect of the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user.
+
+
+### User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+The **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting controls the behavior of the elevation prompt for administrators.
+
+The options are:
+
+- **Elevate without prompting.** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
+
+ **Note** Use this option only in the most constrained environments.
+
+- **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+- **Prompt for consent on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+- **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- **Prompt for consent.** When an operation requires elevation of privilege, the user is prompted to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+- **Prompt for consent for non-Windows binaries.** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+
+
+### User Account Control: Behavior of the elevation prompt for standard users
+
+The **User Account Control: Behavior of the elevation prompt for standard users** policy setting controls the behavior of the elevation prompt for standard users.
+
+The options are:
+
+- **Automatically deny elevation requests.** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+- **Prompt for credentials on the secure desktop.** (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+### User Account Control: Detect application installations and prompt for elevation
+
+The **User Account Control: Detect application installations and prompt for elevation** policy setting controls the behavior of application installation detection for the computer.
+
+The options are:
+
+- **Enabled.** (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- **Disabled.** (Default for enterprise) Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
+
+### User Account Control: Only elevate executables that are signed and validated
+
+The **User Account Control: Only elevate executables that are signed and validated** policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
+The options are:
+
+- **Enabled.** Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+- **Disabled.** (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
+
+### User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+- ...\\Program Files, including subfolders
+- ...\\Windows\\system32
+- ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
+
+**Note** Windows enforces a PKI signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:
+
+- **Enabled.** (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+- **Disabled.** An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+
+### User Account Control: Run all administrators in Admin Approval Mode
+
+The **User Account Control: Run all administrators Admin Approval Mode** policy setting controls the behavior of all UAC policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+
+- **Enabled.** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the **Administrators** group to run in Admin Approval Mode.
+- **Disabled.** Admin Approval Mode and all related UAC policy settings are disabled.
+
+**Note** If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+
+### User Account Control: Switch to the secure desktop when prompting for elevation
+
+The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
+The options are:
+
+- **Enabled.** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+- **Disabled.** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+
+When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting. The following table describes the behavior of the elevation prompt for each of the administrator policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
+
+| Administrator policy setting | Enabled | Disabled |
+| - | - | - |
+| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
+| **Prompt for consent on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
+| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+| **Prompt for consent** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+| **Prompt for consent for non-Windows binaries** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+
+When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. The following table describes the behavior of the elevation prompt for each of the standard user policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
+
+| Standard policy setting | Enabled | Disabled |
+| - | - | - |
+| **Automatically deny elevation requests** | No prompt. The request is automatically denied. | No prompt. The request is automatically denied. |
+| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
+| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+
+### User Account Control: Virtualize file and registry write failures to per-user locations
+
+The **User Account Control: Virtualize file and registry write failures to per-user locations** policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
+
+The options are:
+
+- **Enabled.** (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+- **Disabled.** Applications that write data to protected locations fail.
+
+## Registry key settings
+
+The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. For information about each of the registry keys, see the associated Group Policy description.
+
+| Registry key | Group Policy setting | Registry setting |
+| - | - | - |
+| FilterAdministratorToken | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | 0 (Default) = Disabled
1 = Enabled |
+| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled
1 = Enabled |
+| ConsentPromptBehaviorAdmin | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | 0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop
3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries
|
+| ConsentPromptBehaviorUser | [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | 0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials |
+| EnableInstallerDetection | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | 1 = Enabled (default for home)
0 = Disabled (default for enterprise) |
+| ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled
1 = Enabled |
+| EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled
1 (Default) = Enabled |
+| EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled
1 (Default) = Enabled |
+| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control:-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled
1 (Default) = Enabled |
+| EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled
1 (Default) = Enabled |
diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md
index 71d4e00483..5220e7b05d 100644
--- a/windows/keep-secure/user-account-control-overview.md
+++ b/windows/keep-secure/user-account-control-overview.md
@@ -10,57 +10,34 @@ author: brianlic-msft
# User Account Control
-
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016 Technical Preview
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
-##
-
-
UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.
When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device.
-## Practical applications
-
+## Practical applications
Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
-## New and changed functionality
-
+## New and changed functionality
To find out what's new in UAC for Windows 10, see [User Account Control](../whats-new/user-account-control.md).
## In this section
-
-
-
-
-
-
-
-
-
-
-
-[How User Account Control works](how-user-account-control-works.md) |
-User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. |
-
-
-[User Account Control security policy settings](user-account-control-security-policy-settings.md) |
-You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. |
-
-
-
+| Topic | Description |
+| - | - |
+| [How User Account Control works](how-user-account-control-works.md) | User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. |
+| [User Account Control security policy settings](user-account-control-security-policy-settings.md) | You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. |
+| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. |
diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5637c81086
--- /dev/null
+++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md
@@ -0,0 +1,86 @@
+---
+title: Windows Defender Advanced Threat Protection - Windows Defender
+description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats.
+keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, endpoint behavioral sensor, cloud security, analytics, threat intelligence
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: mjcaparas
+---
+
+# Windows Defender Advanced Threat Protection
+
+**Applies to:**
+
+- Windows 10 Insider Preview Build 14332 or later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
+
+Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
+
+- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
+ collect and process behavioral signals from the operating system
+ (for example, process, registry, file, and network communications)
+ and sends this telemetry to your private, isolated, cloud instance of Windows Defender ATP.
+
+
+- **Cloud security analytics**: Leveraging big-data, machine-learning, and
+ unique Microsoft optics across the Windows ecosystem (such as the
+ [Microsoft Malicious Software Removal Tool](https://www.microsoft.com/en-au/download/malicious-software-removal-tool-details.aspx),
+ enterprise cloud products (such as Office 365), and online assets
+ (such as Bing and SmartScreen URL reputation), behavioral signals
+ are translated into insights, detections, and recommended responses
+ to advanced threats.
+
+- **Threat intelligence**: Generated by Microsoft hunters, security teams,
+ and augmented by threat intelligence provided by partners, threat
+ intelligence enables Windows Defender ATP to identify attacker
+ tools, techniques, and procedures, and generate alerts when these
+ are observed in collected telemetry.
+
+The following diagram shows these Windows Defender ATP service
+components:
+
+
+
+Endpoint investigation capabilities in this service let you drill down
+into security alerts and understand the scope and nature of a potential
+breach. You can submit files for deep analysis and receive the results
+without leaving the [Windows Defender ATP portal](https://securitycenter.windows.com).
+
+Windows Defender ATP works with existing Windows security technologies
+on endpoints, such as Windows Defender, AppLocker, and Device Guard. It
+can also work side-by-side with third-party security solutions and
+antimalware products.
+
+Windows Defender ATP leverages Microsoft technology and expertise to
+detect sophisticated cyber-attacks, providing:
+
+- Behavior-based, cloud-powered, advanced attack detection
+
+ Finds the attacks that made it past all other defenses (post breach detection),provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints.
+
+- Rich timeline for forensic investigation and mitigation
+
+ Easily investigate the scope of breach or suspected behaviors on any machine through a rich machine timeline. File, URLs, and network connection inventory across the network. Gain additional insight using deep collection and analysis (“detonation”) for any file or URLs.
+
+- Built in unique threat intelligence knowledge base
+
+ Unparalleled threat optics provides actor details and intent context for every threat intel-based detection – combining first and third-party intelligence sources.
+
+## In this section
+
+Topic | Description
+:---|:---
+[Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | This overview topic for IT professionals provides information on the minimum requirements to use Windows Defender ATP such as network and data storage configuration, and endpoint hardware ans software requirements, and deployment channels.
+[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints.
+[Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)| Learn about how Windows Defender ATP collects and handles information and where data is stored.
+[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the main features of the service and how it leverages Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks.
+[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
+[Windows Defender Advanced Threat Protection settings](settings-windows-defender-advanced-threat-protection.md) | Learn about setting the time zone and configuring the suppression rules to configure the service to your requirements.
+[Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
+[Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index a181f49e7d..fd8ae1eff2 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -20,7 +20,8 @@
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
-### [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)
+### [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md)
+### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index 8767cf30ff..6aa0112b22 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -10,145 +10,55 @@ author: jdeckerMS
# Change history for Manage and update Windows 10
-
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## May 2016
-New or changed topic | Description |
----|---|
-[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
+| New or changed topic | Description |
+| ---|---|
+|[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |Removed info about sharing wi-fi network access with contacts, since it's been deprecated. |
+| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
+| [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) | Added section on how to turn off Live Tiles |
+| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content |
+
## April 2016
-
-
-
-
-
-
-
-| [Administrative tools in Windows 10](administrative-tools-in-windows-10.md) |
-Added screenshots of Control Panel and the administrative tools folder. |
-
-
-| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) |
-Added the font streaming section. |
-
-
-| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) |
-Made corrections to script and instructions for Shell Launcher. |
-
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Administrative tools in Windows 10](administrative-tools-in-windows-10.md) | Added screenshots of Control Panel and the administrative tools folder. |
+| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added the font streaming section. |
+| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Made corrections to script and instructions for Shell Launcher. |
## March 2016
-
-
-
-
-
-
-
-
-| [Application development for Windows as a service](application-development-for-windows-as-a-service.md) |
-New |
-
-
-| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) |
-New |
-
-
-| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |
-Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. |
-
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Application development for Windows as a service](application-development-for-windows-as-a-service.md) | New |
+| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | New |
+| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. |
## February 2016
-
-
-
-
-
-
-
-
-| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) |
-Added call history and email to the Settings > Privacy section.
-Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
-
-
-| [Customize and export Start layout](customize-and-export-start-layout.md) |
-Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
-
-
-| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) |
-Added instructions for replacing markup characters with escape characters in Start layout XML |
-
-
-| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) |
-New |
-
-
-| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) |
-New |
-
-
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) |
-Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added call history and email to the Settings > Privacy section.
Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
+| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
+| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML |
+| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New |
+| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New |
+| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
## December 2015
-
-
-
-
-
-
-
-
-| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |
-New |
-
-
-| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |
-New |
-
-
-| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) |
- |
-
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | New |
+| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New |
+|[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New |
## November 2015
-
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) | New |
@@ -166,11 +76,8 @@ New or changed topic | Description |
| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Updated |
| [New policies for Windows 10](new-policies-for-windows-10.md) | Updated |
-
-
## Related topics
-
[Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
@@ -179,11 +86,4 @@ New or changed topic | Description |
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
-
-
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
new file mode 100644
index 0000000000..df77f2d6aa
--- /dev/null
+++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
@@ -0,0 +1,1271 @@
+---
+title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
+description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
+ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
+keywords: privacy, stop data flow to Microsoft
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+---
+
+# Configure Windows 10 devices to stop data flow to Microsoft
+
+**Applies to**
+
+- Windows 10
+
+If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
+
+Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
+
+If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+
+Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
+
+In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+
+We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
+
+Here's what's covered in this article:
+
+- [Info management settings](#bkmk-othersettings)
+
+ - [1. Cortana](#bkmk-cortana)
+
+ - [1.1 Cortana Group Policies](#bkmk-cortana-gp)
+
+ - [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
+
+ - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
+
+ - [2. Date & Time](#bkmk-datetime)
+
+ - [3. Device metadata retrieval](#bkmk-devinst)
+
+ - [4. Font streaming](#font-streaming)
+
+ - [5. Insider Preview builds](#bkmk-previewbuilds)
+
+ - [6. Internet Explorer](#bkmk-ie)
+
+ - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
+
+ - [6.2 ActiveX control blocking](#bkmk-ie-activex)
+
+ - [7. Live Tiles](#live-tiles)
+
+ - [8. Mail synchronization](#bkmk-mailsync)
+
+ - [9. Microsoft Edge](#bkmk-edge)
+
+ - [9.1 Microsoft Edge Group Policies](#bkmk-edgegp)
+
+ - [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
+
+ - [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
+
+ - [10. Network Connection Status Indicator](#bkmk-ncsi)
+
+ - [11. Offline maps](#bkmk-offlinemaps)
+
+ - [12. OneDrive](#bkmk-onedrive)
+
+ - [13. Preinstalled apps](#bkmk-preinstalledapps)
+
+ - [14. Settings > Privacy](#bkmk-settingssection)
+
+ - [14.1 General](#bkmk-priv-general)
+
+ - [14.2 Location](#bkmk-priv-location)
+
+ - [14.3 Camera](#bkmk-priv-camera)
+
+ - [14.4 Microphone](#bkmk-priv-microphone)
+
+ - [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+
+ - [14.6 Account info](#bkmk-priv-accounts)
+
+ - [14.7 Contacts](#bkmk-priv-contacts)
+
+ - [14.8 Calendar](#bkmk-priv-calendar)
+
+ - [14.9 Call history](#bkmk-priv-callhistory)
+
+ - [14.10 Email](#bkmk-priv-email)
+
+ - [14.11 Messaging](#bkmk-priv-messaging)
+
+ - [14.12 Radios](#bkmk-priv-radios)
+
+ - [14.13 Other devices](#bkmk-priv-other-devices)
+
+ - [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+
+ - [14.15 Background apps](#bkmk-priv-background)
+
+ - [15. Software Protection Platform](#bkmk-spp)
+
+ - [16. Sync your settings](#bkmk-syncsettings)
+
+ - [17. Teredo](#bkmk-teredo)
+
+ - [18. Wi-Fi Sense](#bkmk-wifisense)
+
+ - [19. Windows Defender](#bkmk-defender)
+
+ - [20. Windows Media Player](#bkmk-wmp)
+
+ - [21. Windows spotlight](#bkmk-spotlight)
+
+ - [22. Windows Store](#bkmk-windowsstore)
+
+ - [23. Windows Update Delivery Optimization](#bkmk-updates)
+
+ - [23.1 Settings > Update & security](#bkmk-wudo-ui)
+
+ - [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
+
+ - [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
+
+ - [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
+
+ - [24. Windows Update](#bkmk-wu)
+
+## What's new in Windows 10, version 1511
+
+
+Here's a list of changes that were made to this article for Windows 10, version 1511:
+
+- Added the following new sections:
+
+ - [Mail synchronization](#bkmk-mailsync)
+
+ - [Offline maps](#bkmk-offlinemaps)
+
+ - [Windows spotlight](#bkmk-spotlight)
+
+ - [Windows Store](#bkmk-windowsstore)
+
+- Added the following Group Policies:
+
+ - Open a new tab with an empty tab
+
+ - Configure corporate Home pages
+
+ - Let Windows apps access location
+
+ - Let Windows apps access the camera
+
+ - Let Windows apps access the microphone
+
+ - Let Windows apps access account information
+
+ - Let Windows apps access contacts
+
+ - Let Windows apps access the calendar
+
+ - Let Windows apps access messaging
+
+ - Let Windows apps control radios
+
+ - Let Windows apps access trusted devices
+
+ - Do not show feedback notifications
+
+ - Turn off Automatic Download and Update of Map Data
+
+ - Force a specific default lock screen image
+
+- Added the AllowLinguisticDataCollection MDM policy.
+
+- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
+
+- Changed the Windows Update section to apply system-wide settings, and not just per user.
+
+## Info management settings
+
+
+This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+
+The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
+
+- [1. Cortana](#bkmk-cortana)
+
+- [2. Date & Time](#bkmk-datetime)
+
+- [3. Device metadata retrieval](#bkmk-devinst)
+
+- [4. Font streaming](#font-streaming)
+
+- [5. Insider Preview builds](#bkmk-previewbuilds)
+
+- [6. Internet Explorer](#bkmk-ie)
+
+- [7. Live Tiles](#live-tiles)
+
+- [8. Mail synchronization](#bkmk-mailsync)
+
+- [9. Microsoft Edge](#bkmk-edge)
+
+- [10. Network Connection Status Indicator](#bkmk-ncsi)
+
+- [11. Offline maps](#bkmk-offlinemaps)
+
+- [12. OneDrive](#bkmk-onedrive)
+
+- [13. Preinstalled apps](#bkmk-preinstalledapps)
+
+- [14. Settings > Privacy](#bkmk-settingssection)
+
+- [15. Software Protection Platform](#bkmk-spp)
+
+- [16. Sync your settings](#bkmk-syncsettings)
+
+- [17. Teredo](#bkmk-teredo)
+
+- [18. Wi-Fi Sense](#bkmk-wifisense)
+
+- [19. Windows Defender](#bkmk-defender)
+
+- [20. Windows Media Player](#bkmk-wmp)
+
+- [21. Windows spotlight](#bkmk-spotlight)
+
+- [22. Windows Store](#bkmk-windowsstore)
+
+- [23. Windows Update Delivery Optimization](#bkmk-updates)
+
+- [24. Windows Update](#bkmk-wu)
+
+
+See the following table for a summary of the management settings. For more info, see its corresponding section.
+
+
+
+### 1. Cortana
+
+Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
+
+### 1.1 Cortana Group Policies
+
+Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**.
+
+| Policy | Description |
+|------------------------------------------------------|---------------------------------------------------------------------------------------|
+| Allow Cortana | Choose whether to let Cortana install and run on the device. |
+| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. |
+| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Default: Disabled|
+| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. |
+| Set what information is shared in Search | Control what information is shared with Bing in Search. |
+
+When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
+
+1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
+
+2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
+
+3. On the **Rule Type** page, click **Program**, and then click **Next**.
+
+4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
+
+5. On the **Action** page, click **Block the connection**, and then click **Next**.
+
+6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
+
+7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
+
+8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
+
+9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
+
+ - For **Protocol type**, choose **TCP**.
+
+ - For **Local port**, choose **All Ports**.
+
+ - For **Remote port**, choose **All ports**.
+
+**Note**
+If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
+
+### 1.2 Cortana MDM policies
+
+The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. |
+| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
Default: Allowed|
+
+### 1.3 Cortana Windows Provisioning
+
+To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**.
+
+### 2. Date & Time
+
+You can prevent Windows from setting the time automatically.
+
+- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically**
+
+ -or-
+
+- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**.
+
+### 3. Device metadata retrieval
+
+To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
+
+### 4. Font streaming
+
+Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
+
+To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
+
+**Note**
+This may change in future versions of Windows.
+
+### 5. Insider Preview builds
+
+To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
+
+- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
+
+ -or-
+
+- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **0**. Users cannot make their devices available for downloading and installing preview software.
+
+ - **1**. Users can make their devices available for downloading and installing preview software.
+
+ - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+ -or-
+
+- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where:
+
+ - **0**. Users cannot make their devices available for downloading and installing preview software.
+
+ - **1**. Users can make their devices available for downloading and installing preview software.
+
+ - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+### 6. Internet Explorer
+
+Use Group Policy to manage settings for Internet Explorer.
+
+### 6.1 Internet Explorer Group Policies
+
+Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.|
+| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
Default: Enabled|
+| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
+| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled |
+| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled|
+
+### 6.2 ActiveX control blocking
+
+ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
+
+For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
+
+### 7. Live Tiles
+
+To turn off Live Tiles:
+
+- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
+
+### 8. Mail synchronization
+
+To turn off mail synchronization for Microsoft Accounts that are configured on a device:
+
+- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts.
+
+ -or-
+
+- Remove any Microsoft Accounts from the Mail app.
+
+ -or-
+
+- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
+
+To turn off the Windows Mail app:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
+
+### 9. Microsoft Edge
+
+Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
+
+### 9.1 Microsoft Edge Group Policies
+
+Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
+
+**Note**
+The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn off autofill | Choose whether employees can use autofill on websites.
Default: Enabled |
+| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
Default: Disabled |
+| Turn off password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled |
+| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
Default: Enabled |
+| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled |
+| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled |
+| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
+
+### 9.2 Microsoft Edge MDM policies
+
+The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
Default: Allowed |
+| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed |
+| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed |
+| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed |
+| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed |
+
+### 9.3 Microsoft Edge Windows Provisioning
+
+Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**.
+
+For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
+
+### 10. Network Connection Status Indicator
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+
+You can turn off NCSI through Group Policy:
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
+
+### 11. Offline maps
+
+You can turn off the ability to download and update offline maps.
+
+- In the UI: **Settings** > **System** > **Offline maps** > **Automatically update maps**
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
+
+### 12. OneDrive
+
+To turn off OneDrive in your organization:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
+
+### 13. Preinstalled apps
+
+Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
+
+To remove the News app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage**
+
+To remove the Weather app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage**
+
+To remove the Money app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage**
+
+To remove the Sports app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage**
+
+To remove the Twitter app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage**
+
+To remove the XBOX app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage**
+
+To remove the Sway app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage**
+
+To remove the OneNote app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage**
+
+To remove the Get Office app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage**
+
+To remove the Get Skype app:
+
+- Right-click the Sports app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
+
+### 14. Settings > Privacy
+
+Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
+
+- [14.1 General](#bkmk-general)
+
+- [14.2 Location](#bkmk-priv-location)
+
+- [14.3 Camera](#bkmk-priv-camera)
+
+- [14.4 Microphone](#bkmk-priv-microphone)
+
+- [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+
+- [14.6 Account info](#bkmk-priv-accounts)
+
+- [14.7 Contacts](#bkmk-priv-contacts)
+
+- [14.8 Calendar](#bkmk-priv-calendar)
+
+- [14.9 Call history](#bkmk-priv-callhistory)
+
+- [14.10 Email](#bkmk-priv-email)
+
+- [14.11 Messaging](#bkmk-priv-messaging)
+
+- [14.12 Radios](#bkmk-priv-radios)
+
+- [14.13 Other devices](#bkmk-priv-other-devices)
+
+- [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+
+- [14.15 Background apps](#bkmk-priv-background)
+
+### 14.1 General
+
+**General** includes options that don't fall into other areas.
+
+To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
+
+**Note**
+When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
+
+
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
+
+To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**.
+
+ Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
+
+ -or-
+
+- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+
+ -or-
+
+- Create a provisioning package, using:
+
+ - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen**
+
+ - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen**
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
+
+To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
+
+**Note**
+If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
+
+
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **0**. Not allowed
+
+ - **1**. Allowed (default)
+
+To turn off **Let websites provide locally relevant content by accessing my language list**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
+
+### 14.2 Location
+
+In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
+
+To turn off **Location for this device**:
+
+- Click the **Change** button in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
+
+ -or-
+
+- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Turned off and the employee can't turn it back on.
+
+ - **1**. Turned on, but lets the employee choose whether to use it. (default)
+
+ - **2**. Turned on and the employee can't turn it off.
+
+ **Note**
+ You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where
+
+ - **No**. Turns off location service.
+
+ - **Yes**. Turns on location service. (default)
+
+To turn off **Location**:
+
+- Turn off the feature in the UI.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+To turn off **Location history**:
+
+- Erase the history using the **Clear** button in the UI.
+
+To turn off **Choose apps that can use your location**:
+
+- Turn off each app using the UI.
+
+### 14.3 Camera
+
+In the **Camera** area, you can choose which apps can access a device's camera.
+
+To turn off **Let apps use my camera**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Apps can't use the camera.
+
+ - **1**. Apps can use the camera.
+
+ **Note**
+ You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+ -or-
+
+- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where:
+
+ - **0**. Apps can't use the camera.
+
+ - **1**. Apps can use the camera.
+
+To turn off **Choose apps that can use your camera**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.4 Microphone
+
+In the **Microphone** area, you can choose which apps can access a device's microphone.
+
+To turn off **Let apps use my microphone**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can use your microphone**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.5 Speech, inking, & typing
+
+In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
+
+**Note**
+For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
+
+
+
+To turn off the functionality:
+
+- Click the **Stop getting to know me** button, and then click **Turn off**.
+
+ -or-
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero).
+
+ -and-
+
+ Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
+
+### 14.6 Account info
+
+In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
+
+To turn off **Let apps access my name, picture, and other account info**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose the apps that can access your account info**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.7 Contacts
+
+In the **Contacts** area, you can choose which apps can access an employee's contacts list.
+
+To turn off **Choose apps that can access contacts**:
+
+- Turn off the feature in the UI for each app.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.8 Calendar
+
+In the **Calendar** area, you can choose which apps have access to an employee's calendar.
+
+To turn off **Let apps access my calendar**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can access calendar**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.9 Call history
+
+In the **Call history** area, you can choose which apps have access to an employee's call history.
+
+To turn off **Let apps access my call history**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.10 Email
+
+In the **Email** area, you can choose which apps have can access and send email.
+
+To turn off **Let apps access and send email**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.11 Messaging
+
+In the **Messaging** area, you can choose which apps can read or send messages.
+
+To turn off **Let apps read or send messages (text or MMS)**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can read or send messages**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.12 Radios
+
+In the **Radios** area, you can choose which apps can turn a device's radio on or off.
+
+To turn off **Let apps control radios**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can control radios**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.13 Other devices
+
+In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
+
+To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
+
+- Turn off the feature in the UI.
+
+To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.14 Feedback & diagnostics
+
+In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
+
+To change how frequently **Windows should ask for my feedback**:
+
+**Note**
+Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
+
+
+
+- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
+
+ -or-
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications**
+
+ -or-
+
+- Create the registry keys (REG\_DWORD type):
+
+ - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
+
+ - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
+
+ Based on these settings:
+
+ | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod |
+ |---------------|-----------------------------|-----------------------------|
+ | Automatically | Delete the registry setting | Delete the registry setting |
+ | Never | 0 | 0 |
+ | Always | 100000000 | Delete the registry setting |
+ | Once a day | 864000000000 | 1 |
+ | Once a week | 6048000000000 | 1 |
+
+
+
+To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
+
+- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
+
+ **Note**
+ You can't use the UI to change the telemetry level to **Security**.
+
+
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
+
+ -or-
+
+- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Maps to the **Security** level.
+
+ - **1**. Maps to the **Basic** level.
+
+ - **2**. Maps to the **Enhanced** level.
+
+ - **3**. Maps to the **Full** level.
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where:
+
+ - **0**. Maps to the **Security** level.
+
+ - **1**. Maps to the **Basic** level.
+
+ - **2**. Maps to the **Enhanced** level.
+
+ - **3**. Maps to the **Full** level.
+
+### 14.15 Background apps
+
+In the **Background Apps** area, you can choose which apps can run in the background.
+
+To turn off **Let apps run in the background**:
+
+- Turn off the feature in the UI for each app.
+
+### 15. Software Protection Platform
+
+Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
+
+**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
+
+The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
+
+### 16. Sync your settings
+
+You can control if your settings are synchronized:
+
+- In the UI: **Settings** > **Accounts** > **Sync your settings**
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**
+
+ -or-
+
+- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where
+
+ - **No**. Settings are not synchronized.
+
+ - **Yes**. Settings are synchronized. (default)
+
+To turn off Messaging cloud sync:
+
+- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
+
+### 17. Teredo
+
+You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
+
+- From an elevated command prompt, run **netsh interface teredo set state disabled**
+
+### 18. Wi-Fi Sense
+
+Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
+
+To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero).
+
+ -or-
+
+- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909).
+
+ -or-
+
+- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910).
+
+When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
+
+### 19. Windows Defender
+
+You can opt of the Microsoft Antimalware Protection Service.
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS**
+
+ -or-
+
+- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+ -or-
+
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
+
+You can stop sending file samples back to Microsoft.
+
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
+
+ -or-
+
+- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Always prompt.
+
+ - **1**. (default) Send safe samples automatically.
+
+ - **2**. Never send.
+
+ - **3**. Send all samples automatically.
+
+ -or-
+
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
+
+You can stop downloading definition updates:
+
+- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+
+ -and-
+
+- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+
+You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
+
+### 20. Windows Media Player
+
+To remove Windows Media Player:
+
+- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
+
+ -or-
+
+- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
+
+### 21. Windows spotlight
+
+Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
+
+- Configure the following in **Settings**:
+
+ - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**.
+
+ - **Personalization** > **Start** > **Occasionally show suggestions in Start**.
+
+ - **System** > **Notifications & actions** > **Show me tips about Windows**.
+
+ -or-
+
+- Apply the Group Policies:
+
+ - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
+ - Add a location in the **Path to local lock screen image** box.
+
+ - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
+
+ **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
+
+
+
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**.
+
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
+
+For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
+
+### 22. Windows Store
+
+You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
+
+### 23. Windows Update Delivery Optimization
+
+Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
+
+By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
+
+Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
+
+### 23.1 Settings > Update & security
+
+You can set up Delivery Optimization from the **Settings** UI.
+
+- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
+
+### 23.2 Delivery Optimization Group Policies
+
+You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
+
+| Policy | Description |
+|---------------------------|-----------------------------------------------------------------------------------------------------|
+| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including None. Turns off Delivery Optimization.
Group. Gets or sends updates and apps to PCs on the same local network domain.
Internet. Gets or sends updates and apps to PCs on the Internet.
LAN. Gets or sends updates and apps to PCs on the same NAT only.
|
+| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.|
+| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).|
+| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
+| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
+
+### 23.3 Delivery Optimization MDM policies
+
+The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|---------------------------|-----------------------------------------------------------------------------------------------------|
+| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including 0. Turns off Delivery Optimization.
1. Gets or sends updates and apps to PCs on the same NAT only.
2. Gets or sends updates and apps to PCs on the same local network domain.
3. Gets or sends updates and apps to PCs on the Internet.
|
+| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.|
+| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).|
+| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
+| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
+
+
+### 23.4 Delivery Optimization Windows Provisioning
+
+If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
+
+Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization.
+
+1. Open Windows ICD, and then click **New provisioning package**.
+
+2. In the **Name** box, type a name for the provisioning package, and then click **Next.**
+
+3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**.
+
+4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies.
+
+For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
+
+### 24. Windows Update
+
+You can turn off Windows Update by setting the following registry entries:
+
+- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+ -and-
+
+- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+You can turn off automatic updates by doing one of the following. This is not recommended.
+
+- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
+
+ -or-
+
+- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Notify the user before downloading the update.
+
+ - **1**. Auto install the update and then notify the user to schedule a device restart.
+
+ - **2** (default). Auto install and restart.
+
+ - **3**. Auto install and restart at a specified time.
+
+ - **4**. Auto install and restart without end-user control.
+
+ - **5**. Turn off automatic updates.
+
+To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md
new file mode 100644
index 0000000000..58de9307b7
--- /dev/null
+++ b/windows/manage/configure-windows-telemetry-in-your-organization.md
@@ -0,0 +1,295 @@
+---
+description: Use this article to make informed decisions about how you can configure telemetry in your organization.
+title: Configure Windows telemetry in your organization (Windows 10)
+keywords: privacy
+---
+
+# Configure Windows telemetry in your organization
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+- Windows Server 2016 Technical Preview
+
+Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.
+
+**Note**
+This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server.
+
+It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers.
+
+We understand that the privacy and security of our customers’ information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016.
+
+## Overview
+
+In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using Settings > Privacy, Group Policy, or MDM.
+
+Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers.
+
+Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers.
+
+For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for youcr organization.
+
+## How is telemetry data handled by Microsoft?
+
+### Data collection
+
+Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
+
+1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
+2. Events are gathered using public operating system event logging and tracing APIs.
+3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
+4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning.
+
+Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
+
+### Data transmission
+
+All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
+
+### Endpoints
+
+The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
+
+The Connected User Experience and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com.
+
+The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information.
+
+[Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) connects to watson.telemetry.microsoft.com.
+
+[Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) connects to oca.telemetry.microsoft.com.
+
+### Data use and access
+
+Data gathered from telemetry is used by Microsoft teams primarily to improve our customer experiences, and for security, health, quality, and performance analysis. The principle of least privileged guides access to telemetry data. Only Microsoft personnel with a valid business need are permitted access to the telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that include aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+
+### Retention
+
+Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history.
+
+## Telemetry levels
+
+
+This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview.
+
+The telemetry data is categorized into four levels:
+
+- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
+
+- **Basic**. Basic device info, including: quality-related data, app compat, app usage data, and data from the **Security** level.
+
+- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
+
+- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
+
+The levels are cumulative and are illustrated in the following diagram. These levels apply to all editions of Windows Server 2016 Technical Preview.
+
+
+
+### Security level
+
+The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
+
+**Note**
+If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
+
+Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
+
+
+
+The data gathered at this level includes:
+
+- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+
+- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
+
+ **Note**
+ You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+
+
+
+- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
+
+ **Note**
+ This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
+
+ Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
+
+
+
+For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
+
+No user content, such as user files or communications, is gathered at the **Security** telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
+
+### Basic level
+
+The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
+
+The data gathered at this level includes:
+
+- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Previewinstances in the ecosystem, including:
+
+ - Device attributes, such as camera resolution and display type
+
+ - Internet Explorer version
+
+ - Battery attributes, such as capacity and type
+
+ - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
+
+ - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
+
+ - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
+
+ - Operating system attributes, such as Windows edition and virtualization state
+
+ - Storage attributes, such as number of drives, type, and size
+
+- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
+
+- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
+
+- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
+
+ - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade.This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
+
+ - **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started
+
+ - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
+
+ - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
+
+ - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
+
+ - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
+
+- **Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
+
+### Enhanced level
+
+The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experiencewith the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
+
+This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
+
+The data gathered at this level includes:
+
+- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
+
+- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
+
+- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
+
+- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
+
+If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue.
+
+### Full level
+
+The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels.
+
+Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
+
+If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** telemetry level and have exhibited the problem.
+
+However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
+
+- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
+
+- Ability to get registry keys.
+
+- All crash dump types, including heap dumps and full dumps.
+
+### Manage your telemetry settings
+
+We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
+
+**Important**
+These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
+
+You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
+
+The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.**
+
+### Configure the operating system telemetry level
+
+You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any devicelevel settings.
+
+Use the appropriate value in the table below when you configure the management policy.
+
+| Value | Level | Data gathered |
+|-------|----------|---------------------------------------------------------------------------------------------------------------------------|
+| **0** | Security | Security data only. |
+| **1** | Basic | Security data, and basic system and quality data. |
+| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. |
+| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. |
+
+
+
+### Use Group Policy to set the telemetry level
+
+Use a Group Policy object to set your organization’s telemetry level.
+
+1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
+
+2. Double-click **Allow Telemetry**.
+
+3. In the **Options** box, select the level that you want to configure, and then click **OK**.
+
+### Use MDM to set the telemetry level
+
+Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
+
+### Use Registry Editor to set the telemetry level
+
+Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
+
+1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
+
+2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
+
+3. Type **AllowTelemetry**, and then press ENTER.
+
+4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
+
+5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
+
+### Configure System Center 2016 telemetry
+
+For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps:
+
+- Turn off telemetry by using the System Center UI Console settings workspace.
+
+- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
+
+### Additional telemetry controls
+
+There are a few more settings that you can turn off that may send telemetry information:
+
+- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
+
+- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
+
+- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+
+- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
+
+ **Note**
+ Microsoft do not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
+
+
+
+## Examples of how Microsoft uses the telemetry data
+
+
+### Drive higher application and driver quality in the ecosystem
+
+Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications
+
+### Reduce your total cost of ownership and downtime
+
+Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates.
+
+### Build features that address our customers’ needs
+
+Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers’ experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft.
\ No newline at end of file
diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md
index 5bfad5466a..2adc6e5005 100644
--- a/windows/manage/disconnect-your-organization-from-microsoft.md
+++ b/windows/manage/disconnect-your-organization-from-microsoft.md
@@ -1,1809 +1,4 @@
---
-title: Configure telemetry and other settings in your organization (Windows 10)
-description: Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
-ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
-ms.prod: W10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: brianlic-msft
----
-
-# Configure telemetry and other settings in your organization
-
-
-**Applies to**
-
-- Windows 10
-
-Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
-
-If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
-
-**Note** Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. We discuss separately the network connections that Windows features and components make directly to Microsoft Services. It is used to provide a service to the user as part of Windows.
-
-
-
-Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
-
-In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
-
-We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
-
-Here's what's covered in this article:
-
-- [Info management settings](#bkmk-othersettings)
-
- - [1. Cortana](#bkmk-cortana)
-
- - [1.1 Cortana Group Policies](#bkmk-cortana-gp)
-
- - [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
-
- - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
-
- - [2. Date & Time](#bkmk-datetime)
-
- - [3. Device metadata retrieval](#bkmk-devinst)
-
- - [4. Font streaming](#font-streaming)
-
- - [5. Insider Preview builds](#bkmk-previewbuilds)
-
- - [6. Internet Explorer](#bkmk-ie)
-
- - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
-
- - [6.2 ActiveX control blocking](#bkmk-ie-activex)
-
- - [7. Mail synchronization](#bkmk-mailsync)
-
- - [8. Microsoft Edge](#bkmk-edge)
-
- - [8.1 Microsoft Edge Group Policies](#bkmk-edgegp)
-
- - [8.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
-
- - [8.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
-
- - [9. Network Connection Status Indicator](#bkmk-ncsi)
-
- - [10. Offline maps](#bkmk-offlinemaps)
-
- - [11. OneDrive](#bkmk-onedrive)
-
- - [12. Preinstalled apps](#bkmk-preinstalledapps)
-
- - [13. Settings > Privacy](#bkmk-settingssection)
-
- - [13.1 General](#bkmk-general)
-
- - [13.2 Location](#bkmk-priv-location)
-
- - [13.3 Camera](#bkmk-priv-camera)
-
- - [13.4 Microphone](#bkmk-priv-microphone)
-
- - [13.5 Speech, inking, & typing](#bkmk-priv-speech)
-
- - [13.6 Account info](#bkmk-priv-accounts)
-
- - [13.7 Contacts](#bkmk-priv-contacts)
-
- - [13.8 Calendar](#bkmk-priv-calendar)
-
- - [13.9 Call history](#bkmk-priv-callhistory)
-
- - [13.10 Email](#bkmk-priv-email)
-
- - [13.11 Messaging](#bkmk-priv-messaging)
-
- - [13.12 Radios](#bkmk-priv-radios)
-
- - [13.13 Other devices](#bkmk-priv-other-devices)
-
- - [13.14 Feedback & diagnostics](#bkmk-priv-feedback)
-
- - [13.15 Background apps](#bkmk-priv-background)
-
- - [14. Software Protection Platform](#bkmk-spp)
-
- - [15. Sync your settings](#bkmk-syncsettings)
-
- - [16. Teredo](#bkmk-teredo)
-
- - [17. Wi-Fi Sense](#bkmk-wifisense)
-
- - [18. Windows Defender](#bkmk-defender)
-
- - [19. Windows Media Player](#bkmk-wmp)
-
- - [20. Windows spotlight](#bkmk-spotlight)
-
- - [21. Windows Store](#bkmk-windowsstore)
-
- - [22. Windows Update Delivery Optimization](#bkmk-updates)
-
- - [22.1 Settings > Update & security](#bkmk-wudo-ui)
-
- - [22.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
-
- - [22.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
-
- - [22.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
-
- - [23. Windows Update](#bkmk-wu)
-
-- [Manage your telemetry settings](#bkmk-utc)
-
-- [How telemetry works](#bkmk-moreutc)
-
-## What's new in Windows 10, version 1511
-
-
-Here's a list of changes that were made to this article for Windows 10, version 1511:
-
-- Added the following new sections:
-
- - [Mail synchronization](#bkmk-mailsync)
-
- - [Offline maps](#bkmk-offlinemaps)
-
- - [Windows spotlight](#bkmk-spotlight)
-
- - [Windows Store](#bkmk-windowsstore)
-
-- Added the following Group Policies:
-
- - Open a new tab with an empty tab
-
- - Configure corporate Home pages
-
- - Let Windows apps access location
-
- - Let Windows apps access the camera
-
- - Let Windows apps access the microphone
-
- - Let Windows apps access account information
-
- - Let Windows apps access contacts
-
- - Let Windows apps access the calendar
-
- - Let Windows apps access messaging
-
- - Let Windows apps control radios
-
- - Let Windows apps access trusted devices
-
- - Do not show feedback notifications
-
- - Turn off Automatic Download and Update of Map Data
-
- - Force a specific default lock screen image
-
-- Added the AllowLinguisticDataCollection MDM policy.
-
-- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
-
-- Added steps in the [Live tiles](#bkmk-livetiles) section on how to remove the Money and Sports apps.
-
-- Changed the Windows Update section to apply system-wide settings, and not just per user.
-
-## Info management settings
-
-
-This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
-
-The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
-
-- [1. Cortana](#bkmk-cortana)
-
-- [2. Date & Time](#bkmk-datetime)
-
-- [3. Device metadata retrieval](#bkmk-devinst)
-
-- [4. Font streaming](#font-streaming)
-
-- [5. Insider Preview builds](#bkmk-previewbuilds)
-
-- [6. Internet Explorer](#bkmk-ie)
-
-- [7. Mail synchronization](#bkmk-mailsync)
-
-- [8. Microsoft Edge](#bkmk-edge)
-
-- [9. Network Connection Status Indicator](#bkmk-ncsi)
-
-- [10. Offline maps](#bkmk-offlinemaps)
-
-- [11. OneDrive](#bkmk-onedrive)
-
-- [12. Preinstalled apps](#bkmk-preinstalledapps)
-
-- [13. Settings > Privacy](#bkmk-settingssection)
-
-- [14. Software Protection Platform](#bkmk-spp)
-
-- [15. Sync your settings](#bkmk-syncsettings)
-
-- [16. Teredo](#bkmk-teredo)
-
-- [17. Wi-Fi Sense](#bkmk-wifisense)
-
-- [18. Windows Defender](#bkmk-defender)
-
-- [19. Windows Media Player](#bkmk-wmp)
-
-- [20. Windows spotlight](#bkmk-spotlight)
-
-- [21. Windows Store](#bkmk-windowsstore)
-
-- [22. Windows Update](#bkmk-wu)
-
-- [23. Windows Update Delivery Optimization](#bkmk-updates)
-
-See the following table for a summary of the management settings. For more info, see its corresponding section.
-
-
-
-### 1. Cortana
-
-Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
-
-### 1.1 Cortana Group Policies
-
-Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**.
-
-
-
-
-
-
-
-
-
-
-
-Allow Cortana |
-Choose whether to let Cortana install and run on the device.
-Default: Enabled |
-
-
-Allow search and Cortana to use location |
-Choose whether Cortana and Search can provide location-aware search results.
-Default: Enabled |
-
-
-Do not allow web search |
-Choose whether to search the web from Windows Desktop Search.
-Default: Disabled |
-
-
-Don't search the web or display web results in Search |
-Choose whether to search the web from Cortana.
-Default: Disabled |
-
-
-Set what information is shared in Search |
-Control what information is shared with Bing in Search. |
-
-
-
-
-
-
-When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
-
-1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
-
-2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
-
-3. On the **Rule Type** page, click **Program**, and then click **Next**.
-
-4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
-
-5. On the **Action** page, click **Block the connection**, and then click **Next**.
-
-6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
-
-7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
-
-8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
-
-9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
-
- - For **Protocol type**, choose **TCP**.
-
- - For **Local port**, choose **All Ports**.
-
- - For **Remote port**, choose **All ports**.
-
-**Note**
-If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
-
-
-
-### 1.2 Cortana MDM policies
-
-The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
-
-
-
-
-
-
-
-
-
-
-Experience/AllowCortana |
-Choose whether to let Cortana install and run on the device.
-Default: Allowed |
-
-
-Search/AllowSearchToUseLocation |
-Choose whether Cortana and Search can provide location-aware search results.
-Default: Allowed |
-
-
-
-
-
-
-### 1.3 Cortana Windows Provisioning
-
-To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**.
-
-### 2. Date & Time
-
-You can prevent Windows from setting the time automatically.
-
-- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically**
-
- -or-
-
-- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**.
-
-### 3. Device metadata retrieval
-
-To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
-
-### 4. Font streaming
-
-Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
-
-To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
-
-**Note**
-This may change in future versions of Windows.
-
-
-
-### 5. Insider Preview builds
-
-To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
-
-- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
-
- -or-
-
-- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
-
- - **0**. Users cannot make their devices available for downloading and installing preview software.
-
- - **1**. Users can make their devices available for downloading and installing preview software.
-
- - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
-
- -or-
-
-- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where:
-
- - **0**. Users cannot make their devices available for downloading and installing preview software.
-
- - **1**. Users can make their devices available for downloading and installing preview software.
-
- - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
-
-### 6. Internet Explorer
-
-Use Group Policy to manage settings for Internet Explorer.
-
-### 6.1 Internet Explorer Group Policies
-
-Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
-
-
-
-
-
-
-
-
-
-
-
-Turn on Suggested Sites |
-Choose whether an employee can configure Suggested Sites.
-Default: Enabled
-You can also turn this off in the UI by clearing the Internet Options > Advanced > Enable Suggested Sites check box. |
-
-
-Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar |
-Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
-Default: Enabled |
-
-
-Turn off the auto-complete feature for web addresses |
-Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
-Default: Disabled
-You can also turn this off in the UI by clearing the Internet Options > Advanced > Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog check box. |
-
-
-Disable Periodic Check for Internet Explorer software updates |
-Choose whether Internet Explorer periodically checks for a new version.
-Default: Enabled |
-
-
-Turn off browser geolocation |
-Choose whether websites can request location data from Internet Explorer.
-Default: Disabled |
-
-
-
-
-
-
-### 6.2 ActiveX control blocking
-
-ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
-
-For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
-
-### 7. Mail synchronization
-
-To turn off mail synchronization for Microsoft Accounts that are configured on a device:
-
-- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts.
-
- -or-
-
-- Remove any Microsoft Accounts from the Mail app.
-
- -or-
-
-- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
-
-To turn off the Windows Mail app:
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
-
-### 8. Microsoft Edge
-
-Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
-
-### 8.1 Microsoft Edge Group Policies
-
-Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
-
-**Note**
-The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Turn off autofill |
-Choose whether employees can use autofill on websites.
-Default: Enabled |
-
-
-Allow employees to send Do Not Track headers |
-Choose whether employees can send Do Not Track headers.
-Default: Disabled |
-
-
-Turn off password manager |
-Choose whether employees can save passwords locally on their devices.
-Default: Enabled |
-
-
-Turn off address bar search suggestions |
-Choose whether the address bar shows search suggestions.
-Default: Enabled |
-
-
-Turn off the SmartScreen Filter |
-Choose whether SmartScreen is turned on or off.
-Default: Enabled |
-
-
-Open a new tab with an empty tab |
-Choose whether a new tab page appears.
-Default: Enabled |
-
-
-Configure corporate Home pages |
-Choose the corporate Home page for domain-joined devices.
-Set this to about:blank |
-
-
-
-
-
-
-### 8.2 Microsoft Edge MDM policies
-
-The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
-
-
-
-
-
-
-
-
-
-
-Browser/AllowAutoFill |
-Choose whether employees can use autofill on websites.
-Default: Allowed |
-
-
-Browser/AllowDoNotTrack |
-Choose whether employees can send Do Not Track headers.
-Default: Not allowed |
-
-
-Browser/AllowPasswordManager |
-Choose whether employees can save passwords locally on their devices.
-Default: Allowed |
-
-
-Browser/AllowSearchSuggestionsinAddressBar |
-Choose whether the address bar shows search suggestions.
-Default: Allowed |
-
-
-Browser/AllowSmartScreen |
-Choose whether SmartScreen is turned on or off.
-Default: Allowed |
-
-
-
-
-
-
-### 8.3 Microsoft Edge Windows Provisioning
-
-Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**.
-
-For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
-
-### 9. Network Connection Status Indicator
-
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
-
-You can turn off NCSI through Group Policy:
-
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
-
-### 10. Offline maps
-
-You can turn off the ability to download and update offline maps.
-
-- In the UI: **Settings** > **System** > **Offline maps** > **Automatically update maps**
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
-
-### 11. OneDrive
-
-To turn off OneDrive in your organization:
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
-
-### 12. Preinstalled apps
-
-Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
-
-To remove the News app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage**
-
-To remove the Weather app:
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage**
-
-To remove the Money app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage**
-
-To remove the Sports app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage**
-
-To remove the Twitter app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage**
-
-To remove the XBOX app:
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage**
-
-To remove the Sway app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage**
-
-To remove the OneNote app:
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage**
-
-To remove the Get Office app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage**
-
-To remove the Get Skype app:
-
-- Right-click the Sports app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
-
-### 13. Settings > Privacy
-
-Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
-
-- [13.1 General](#bkmk-general)
-
-- [13.2 Location](#bkmk-priv-location)
-
-- [13.3 Camera](#bkmk-priv-camera)
-
-- [13.4 Microphone](#bkmk-priv-microphone)
-
-- [13.5 Speech, inking, & typing](#bkmk-priv-speech)
-
-- [13.6 Account info](#bkmk-priv-accounts)
-
-- [13.7 Contacts](#bkmk-priv-contacts)
-
-- [13.8 Calendar](#bkmk-priv-calendar)
-
-- [13.9 Call history](#bkmk-priv-callhistory)
-
-- [13.10 Email](#bkmk-priv-email)
-
-- [13.11 Messaging](#bkmk-priv-messaging)
-
-- [13.12 Radios](#bkmk-priv-radios)
-
-- [13.13 Other devices](#bkmk-priv-other-devices)
-
-- [13.14 Feedback & diagnostics](#bkmk-priv-feedback)
-
-- [13.15 Background apps](#bkmk-priv-background)
-
-### 13.1 General
-
-**General** includes options that don't fall into other areas.
-
-To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
-
-**Note**
-When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
-
-
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
-
- -or-
-
-- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
-
-To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**.
-
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
-
- -or-
-
-- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
-
- -or-
-
-- Create a provisioning package, using:
-
- - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen**
-
- - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen**
-
- -or-
-
-- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
-
-To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
-
-**Note**
-If the telemetry level is set to either [Basic](#bkmk-utc-basic) or [Security](#bkmk-utc-security), this is turned off automatically.
-
-
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
-
- - **0**. Not allowed
-
- - **1**. Allowed (default)
-
-To turn off **Let websites provide locally relevant content by accessing my language list**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
-
-### 13.2 Location
-
-In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
-
-To turn off **Location for this device**:
-
-- Click the **Change** button in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
-
- -or-
-
-- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Turned off and the employee can't turn it back on.
-
- - **1**. Turned on, but lets the employee choose whether to use it. (default)
-
- - **2**. Turned on and the employee can't turn it off.
-
- **Note**
- You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-
-
-
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where
-
- - **No**. Turns off location service.
-
- - **Yes**. Turns on location service. (default)
-
-To turn off **Location**:
-
-- Turn off the feature in the UI.
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
-
- - Set the **Select a setting** box to **Force Deny**.
-
- -or-
-
-To turn off **Location history**:
-
-- Erase the history using the **Clear** button in the UI.
-
-To turn off **Choose apps that can use your location**:
-
-- Turn off each app using the UI.
-
-### 13.3 Camera
-
-In the **Camera** area, you can choose which apps can access a device's camera.
-
-To turn off **Let apps use my camera**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera**
-
- - Set the **Select a setting** box to **Force Deny**.
-
- -or-
-
-- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Apps can't use the camera.
-
- - **1**. Apps can use the camera.
-
- **Note**
- You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-
-
-
- -or-
-
-- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where:
-
- - **0**. Apps can't use the camera.
-
- - **1**. Apps can use the camera.
-
-To turn off **Choose apps that can use your camera**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.4 Microphone
-
-In the **Microphone** area, you can choose which apps can access a device's microphone.
-
-To turn off **Let apps use my microphone**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can use your microphone**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.5 Speech, inking, & typing
-
-In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
-
-**Note**
-For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
-
-
-
-To turn off the functionality:
-
-- Click the **Stop getting to know me** button, and then click **Turn off**.
-
- -or-
-
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
-
- -or-
-
-- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero).
-
- -and-
-
- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
-
-### 13.6 Account info
-
-In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
-
-To turn off **Let apps access my name, picture, and other account info**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose the apps that can access your account info**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.7 Contacts
-
-In the **Contacts** area, you can choose which apps can access an employee's contacts list.
-
-To turn off **Choose apps that can access contacts**:
-
-- Turn off the feature in the UI for each app.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.8 Calendar
-
-In the **Calendar** area, you can choose which apps have access to an employee's calendar.
-
-To turn off **Let apps access my calendar**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can access calendar**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.9 Call history
-
-In the **Call history** area, you can choose which apps have access to an employee's call history.
-
-To turn off **Let apps access my call history**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.10 Email
-
-In the **Email** area, you can choose which apps have can access and send email.
-
-To turn off **Let apps access and send email**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.11 Messaging
-
-In the **Messaging** area, you can choose which apps can read or send messages.
-
-To turn off **Let apps read or send messages (text or MMS)**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can read or send messages**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.12 Radios
-
-In the **Radios** area, you can choose which apps can turn a device's radio on or off.
-
-To turn off **Let apps control radios**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can control radios**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.13 Other devices
-
-In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
-
-To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
-
-- Turn off the feature in the UI.
-
-To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.14 Feedback & diagnostics
-
-In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
-
-To change how frequently **Windows should ask for my feedback**:
-
-**Note**
-Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
-
-
-
-- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
-
- -or-
-
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications**
-
- -or-
-
-- Create the registry keys (REG\_DWORD type):
-
- - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
-
- - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
-
- Based on these settings:
-
- | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod |
- |---------------|-----------------------------|-----------------------------|
- | Automatically | Delete the registry setting | Delete the registry setting |
- | Never | 0 | 0 |
- | Always | 100000000 | Delete the registry setting |
- | Once a day | 864000000000 | 1 |
- | Once a week | 6048000000000 | 1 |
-
-
-
-To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
-
-- To change from [Enhanced](#bkmk-utc-enhanced), use the drop-down list in the UI. The other levels are **Basic** and **Full**. For more info about these levels, see [How telemetry works](#bkmk-moreutc).
-
- **Note**
- You can't use the UI to change the telemetry level to [Security](#bkmk-utc-security).
-
-
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
-
- -or-
-
-- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Maps to the [Security](#bkmk-utc-security) level.
-
- - **1**. Maps to the [Basic](#bkmk-utc-basic) level.
-
- - **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
-
- - **3**. Maps to the [Full](#bkmk-utc-full) level.
-
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where:
-
- - **0**. Maps to the [Security](#bkmk-utc-security) level.
-
- - **1**. Maps to the [Basic](#bkmk-utc-basic) level.
-
- - **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
-
- - **3**. Maps to the [Full](#bkmk-utc-full) level.
-
-### 13.15 Background apps
-
-In the **Background Apps** area, you can choose which apps can run in the background.
-
-To turn off **Let apps run in the background**:
-
-- Turn off the feature in the UI for each app.
-
-### 14. Software Protection Platform
-
-Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
-
-**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
-
-The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
-
-### 15. Sync your settings
-
-You can control if your settings are synchronized:
-
-- In the UI: **Settings** > **Accounts** > **Sync your settings**
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**
-
- -or-
-
-- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
-
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where
-
- - **No**. Settings are not synchronized.
-
- - **Yes**. Settings are synchronized. (default)
-
-To turn off Messaging cloud sync:
-
-- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
-
-### 16. Teredo
-
-You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
-
-- From an elevated command prompt, run **netsh interface teredo set state disabled**
-
-### 17. Wi-Fi Sense
-
-Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
-
-To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
-
- -or-
-
-- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero).
-
- -or-
-
-- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909).
-
- -or-
-
-- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed.](http://go.microsoft.com/fwlink/p/?LinkId=620910)
-
-When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
-
-### 18. Windows Defender
-
-You can opt of the Microsoft Antimalware Protection Service.
-
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS**
-
- -or-
-
-- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
- -or-
-
-- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
-
-You can stop sending file samples back to Microsoft.
-
-- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
-
- -or-
-
-- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Always prompt.
-
- - **1**. (default) Send safe samples automatically.
-
- - **2**. Never send.
-
- - **3**. Send all samples automatically.
-
- -or-
-
-- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
-
-You can stop downloading definition updates:
-
-- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
-
- -and-
-
-- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
-
-You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
-
-### 19. Windows Media Player
-
-To remove Windows Media Player:
-
-- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
-
- -or-
-
-- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
-
-### 20. Windows spotlight
-
-Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
-
-- Configure the following in **Settings**:
-
- - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**.
-
- - **Personalization** > **Start** > **Occasionally show suggestions in Start**.
-
- - **System** > **Notifications & actions** > **Show me tips about Windows**.
-
- -or-
-
-- Apply the Group Policies:
-
- - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
- - Add a location in the **Path to local lock screen image** box.
-
- - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
-
- **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
-
-
-
- - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**.
-
- - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
-
-For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
-
-### 21. Windows Store
-
-You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
-
-### 22. Windows Update Delivery Optimization
-
-Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization’s PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
-
-By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
-
-Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
-
-### 22.1 Settings > Update & security
-
-You can set up Delivery Optimization from the **Settings** UI.
-
-- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
-
-### 22.2 Delivery Optimization Group Policies
-
-You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
-
-
-
-
-
-
-
-
-
-
-
-Download Mode |
-Lets you choose where Delivery Optimization gets or sends updates and apps, including
-
-None. Turns off Delivery Optimization. Group. Gets or sends updates and apps to PCs on the same local network domain. Internet. Gets or sends updates and apps to PCs on the Internet. LAN. Gets or sends updates and apps to PCs on the same NAT only. |
-
-
-Group ID |
-Lets you provide a Group ID that limits which PCs can share apps and updates.
-
- Note
- This ID must be a GUID.
-
-
- |
-
-
-Max Cache Age |
-Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
-The default value is 259200 seconds (3 days). |
-
-
-Max Cache Size |
-Lets you specify the maximum cache size as a percentage of disk size.
-The default value is 20, which represents 20% of the disk. |
-
-
-Max Upload Bandwidth |
-Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
-The default value is 0, which means unlimited possible bandwidth. |
-
-
-
-
-
-
-### 22.3 Delivery Optimization MDM policies
-
-The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
-
-
-
-
-
-
-
-
-
-
-DeliveryOptimization/DODownloadMode |
-Lets you configure where Delivery Optimization gets or sends updates and apps, including:
-
-0. Turns off Delivery Optimization. 1. Gets or sends updates and apps to PCs on the same NAT only. 2. Gets or sends updates and apps to PCs on the same local network domain. 3. Gets or sends updates and apps to PCs on the Internet. |
-
-
-DeliveryOptimization/DOGroupID |
-Lets you provide a Group ID that limits which PCs can share apps and updates.
-
- Note
- This ID must be a GUID.
-
-
- |
-
-
-DeliveryOptimization/DOMaxCacheAge |
-Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
-The default value is 259200 seconds (3 days). |
-
-
-DeliveryOptimization/DOMaxCacheSize |
-Lets you specify the maximum cache size as a percentage of disk size.
-The default value is 20, which represents 20% of the disk. |
-
-
-DeliveryOptimization/DOMaxUploadBandwidth |
-Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
-The default value is 0, which means unlimited possible bandwidth. |
-
-
-
-
-
-
-### 22.4 Delivery Optimization Windows Provisioning
-
-If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
-
-Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization.
-
-1. Open Windows ICD, and then click **New provisioning package**.
-
-2. In the **Name** box, type a name for the provisioning package, and then click **Next.**
-
-3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**.
-
-4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies.
-
-For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
-
-### 23. Windows Update
-
-You can turn off Windows Update by setting the following registry entries:
-
-- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
-
- -and-
-
-- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
-
-You can turn off automatic updates by doing one of the following. This is not recommended.
-
-- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
-
- -or-
-
-- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Notify the user before downloading the update.
-
- - **1**. Auto install the update and then notify the user to schedule a device restart.
-
- - **2** (default). Auto install and restart.
-
- - **3**. Auto install and restart at a specified time.
-
- - **4**. Auto install and restart without end-user control.
-
- - **5**. Turn off automatic updates.
-
-To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
-
-## Manage your telemetry settings
-
-
-You can manage your telemetry settings using the management tools you're already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device-level settings.
-
-You can set your organization's devices to use 1 of 4 telemetry levels:
-
-- [Security](#bkmk-utc-security) (only available on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core (IoT Core) editions)
-
-- [Basic](#bkmk-utc-basic)
-
-- [Enhanced](#bkmk-utc-enhanced)
-
-- [Full](#bkmk-utc-full)
-
-For more info about these telemetry levels, see [Telemetry levels](#bkmk-telemetrylevels). If you choose Express settings during installation, your device is configured for the Full telemetry level. In Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core, unattended installations configure your device for the Enhanced telemetry level.
-
-**Important**
-These telemetry levels only apply to Windows components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies.
-
-
-
-### Use Group Policy to set the telemetry level
-
-Use a Group Policy object to set your organization’s telemetry level.
-
-1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
-
-2. Double-click **Allow Telemetry**.
-
-3. In the **Options** box, select the level that you want to configure, and then click **OK**.
-
-### Use MDM to set the telemetry level
-
-Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy, using one of these telemetry values:
-
-- **0**. Maps to the [Security](#bkmk-utc-security) level.
-
-- **1**. Maps to the [Basic](#bkmk-utc-basic) level.
-
-- **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
-
-- **3**. Maps to the [Full](#bkmk-utc-full) level.
-
-### Use Windows Provisioning to set the telemetry level
-
-Use Windows Provisioning and the Windows Imaging and Configuration Designer (Windows ICD) tool - part of the [Windows Assessment and Deployment Kit (Windows ADK) toolkit](http://go.microsoft.com/fwlink/p/?LinkId=526803) - to create a provisioning package and runtime setting that sets your organization's telemetry level.
-
-After you create the provisioning package, you can email it to your employees, put it on a network share, or integrate the package directly into a custom image using Windows ICD.
-
-**To use Windows ICD to integrate your package into a custom image**
-
-1. Open Windows ICD, and then click **New provisioning package**.
-
-2. In the **Name** box, type a name for the provisioning package, and then click **Next**.
-
-3. Click **Common to all Windows editions** > **Next** > **Finish**.
-
-4. Go to **Runtime settings** > **Policies** > **System** > **AllowTelemetry** to configure the policies. You can set it to one of the following:
-
- - **Disabled \[Enterprise SKU Only\]**. Maps to the [Security](#bkmk-utc-security) level.
-
- - **Basic**. Maps to the [Basic](#bkmk-utc-basic) level.
-
- - **Full**. Maps to the [Enhanced](#bkmk-utc-enhanced) level
-
- - **Diagnostic**. Maps to the [Full](#bkmk-utc-full) level.
-
-5. After you've added all of your settings to the provisioning package, click **Export** > **Provisioning package**.
-
-6. On the **Describe the provisioning package** step, in the **Owner** box, click **IT Admin** > **Next**.
-
-7. On the **Select security details for the provisioning package** step, if you want to protect the package with a password, select the **Encrypt package** check box. If you'd like to sign the package with a certificate, select the **Sign package** check box and select the certificate to use. Click **Next**.
-
-8. On the **Select where to save the provisioning package** step, if you want to save it somewhere other than the Windows ICD project folder, choose a new location, and then click **Next**.
-
-9. On the **Build the provisioning package** step, click **Build**.
-
-### Use Registry Editor to set the telemetry level
-
-Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry.
-
-If a management policy already exists (from Group Policy, MDM, or Windows Provisioning), it will override this registry setting.
-
-1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
-
-2. Right-click **DataCollection**, click **New**, and then click **DWORD (32-bit) Value**.
-
-3. Type **AllowTelemetry**, and then press ENTER.
-
-4. Double-click **AllowTelemetry** and set the value to one of the following levels, and the click **OK**.
-
- - **0**. This setting maps to the [Security](#bkmk-utc-security) level.
-
- - **1**. This setting maps to the [Basic](#bkmk-utc-basic) level.
-
- - **2**. This setting maps to the [Enhanced](#bkmk-utc-enhanced) level
-
- - **3**. This setting maps to the [Full](#bkmk-utc-full) level.
-
-5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
-
-### Additional telemetry controls
-
-There are a few more settings that you can turn off that may send telemetry information:
-
-- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
-
-- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
-
-- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
-
-- Turn off Linguistic Data Collection in **Settings** > **Privacy**. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. For more info, see the **Get to know me** setting in the [Speech, inking, & typing](#bkmk-priv-speech) section of this article and the **Send Microsoft info about how I write to help us improve typing and writing in the future** setting in the [General](#bkmk-priv-general) section of this article.
-
- **Note**
- Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
-
-
-
-## How telemetry works
-
-
-Windows uses telemetry information to analyze and fix software problems. It also helps Microsoft improve its software and provide updates that enhance the security and reliability of devices within your organization.
-
-### Telemetry levels
-
-This section explains the different telemetry levels in Windows 10. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the Security level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
-
-- **Security**. Information that's required to help keep Windows secure, including info about theConnected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
-
-- **Basic**. Basic device info, including: quality-related info, app compat, and info from the Security level.
-
-- **Enhanced** Additional insights, including: how Windows and Windows apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels.
-
-- **Full**. All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels.
-
-As a diagram:
-
-
-
-### Security level
-
-The Security level gathers only telemetry info that's required to keep Windows devices secure. This level is only available on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
-
-**Note**
-If your organization relies on Windows Update for updates, you shouldn't use the Security level. Because no Windows Update information is gathered at this level, Microsoft can't tell whether an update successfully installed.
-
-You can continue to use Windows Server Update Services and System Center Configuration Manager while using the Security level.
-
-
-
-Security level info includes:
-
-- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data collected by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
-
-- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
-
- **Note**
- You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users.
-
-
-
-- **Windows Defender**. Windows Defender requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. To configure this, see [Windows Defender](#bkmk-defender).
-
- **Note**
- This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off.
-
- Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates; moreover, Window Defender requires updated anti-malware signatures in order to provide security functionality.
-
-
-
-No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer's registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
-
-To set the telemetry level to Security, use a management policy (Group Policy or MDM) or by manually changing the setting in the registry. For more info, see the [Manage your telemetry settings](#bkmk-utc) section of this article.
-
-### Basic level
-
-The Basic level gathers a limited set of info that’s critical for understanding the device and its configuration. This level also includes the Security level info. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version.
-
-Basic level info includes:
-
-- **Basic device info**. Helps provide an understanding about the various types of devices in the Windows 10 ecosystem, including:
-
- - Device attributes, such as camera resolution and display type
-
- - Internet Explorer version
-
- - Battery attributes, such as capacity and type
-
- - Networking attributes, such as mobile operator network and IMEI number
-
- - Processor and memory attributes, such as number of cores, speed, and firmware
-
- - Operating system attributes, such as Windows edition and IsVirtualDevice
-
- - Storage attributes, such as number of drives and memory size
-
-- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including uploaded events, dropped events, and the last upload time.
-
-- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the amount of time a connected standby device was able to fullsleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
-
-- **App compat info**. Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems.
-
- - **General app info and app info for Internet Explorer add-ons**. Includes a list of apps and Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. This app info includes the app name, publisher, version, and basic details about which files have been blocked from usage.
-
- - **System info**. Helps provide understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as info about the processor and BIOS.
-
- - **Accessory device info**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
-
- - **Driver info**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This info can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
-
-- **Store**. Provides info about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
-
-### Enhanced level
-
-The Enhanced level gathers info about how Windows and apps are used and how they perform. This level also includes info from both the Basic and Security levels. This level helps to improve experiences by analyzing user interaction with the operating system and apps. Info from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
-
-Enhanced level info includes:
-
-- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, and other components.
-
-- **Operating system app events**. A set of events resulting from Microsoft apps that were downloaded from the Store or pre-installed with Windows, including Photos, Mail, and Microsoft Edge.
-
-- **Device-specific events**. Contains info about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
-
-If the Connected User Experience and Telemetry component detects a problem that requires gathering more detailed instrumentation, then the Connected User Experience and Telemetry component will only gather info about the events associated with the specific issue, for no more than 2 weeks. Also, if the operating system or an app crashes or hangs, Microsoft will gather the memory contents of the faulting process only at the time of the crash or hang.
-
-### Full level
-
-The Full level gathers info necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels.
-
-Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level.
-
-If a device experiences problems that are difficult to identify or repeat using Microsoft's internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem.
-
-However, before more info is gathered, Microsoft's privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
-
-- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
-
-- Ability to get registry keys.
-
-- Ability to gather user content, such as documents, if they might have been the trigger for the issue.
-
-### How is telemetry information handled by Microsoft?
-
-### Collection
-
-Information gathered by the Connected User Experience and Telemetry component complies with Microsoft's security and privacy policies, as well as international laws and regulations. Only those who can demonstrate a valid business need can access the telemetry info.
-
-### Data Transfer
-
-All telemetry info is encrypted during transfer from the device to the Microsoft Data Management Service. Data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as gaming achievements, are always sent immediately. Normal events are not uploaded on metered networks. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
-
-### Microsoft Data Management Service
-
-The Microsoft Data Management Service routes information to internal cloud storage, where it's compiled into business reports for analysis and research. Sensitive info is stored in a separate data store that's locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification. The Connected User Experiences and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component connects to settings-win.data.microsoft.com to collect its settings.
-
-### Usage
-
-Information is used by teams within Microsoft to provide, improve, and personalize experiences, and for security, health, quality, and performance analysis.
-
-An example of personalization is to create individually tailored in-product messages.
-
-Microsoft doesn't share organization-specific customer information with third parties, except at the customer's direction or for the limited purposes described in the privacy statement. However, we do share business reports with partners that include aggregated, anonymous telemetry information. Decisions to share info are made by an internal team that includes privacy, legal, and data management professionals.
-
-### Retention
-
-Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as it's needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, particularly if there is a regulatory requirement to do so. Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%.
-
-
-
-
-
+title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
+redirect_url: http://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft
+---
\ No newline at end of file
diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png
index 1a4aff8def..527d92d9b2 100644
Binary files a/windows/manage/images/settings-table.png and b/windows/manage/images/settings-table.png differ
diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md
index ffe9e7c732..789cf15e86 100644
--- a/windows/manage/lock-down-windows-10.md
+++ b/windows/manage/lock-down-windows-10.md
@@ -43,30 +43,36 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
-[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) |
-Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
+[Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) |
+Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
+[Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) |
+Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
+
+
[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) |
IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. |
-
+
[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |
Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.
The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
-
+
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) |
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. |
-
+
[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) |
There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. |
-
+ ## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
## Related topics
diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md
index 4108cd3ae2..616e800b95 100644
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@@ -538,6 +538,10 @@ After you deploy your devices, you can still configure lockdown settings through
To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as < in place of <). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
+## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
+
## Related topics
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index dca8bf4608..227070a768 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -94,6 +94,7 @@ For more information about the MDM protocols, see [Mobile device management](htt
## Learn more
+[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627898.aspx)
[Windows 10, Azure AD and Microsoft Intune: Automatic MDM Enrollment](http://go.microsoft.com/fwlink/p/?LinkId=623321)
diff --git a/windows/manage/manage-wifi-sense-in-enterprise.md b/windows/manage/manage-wifi-sense-in-enterprise.md
index f51da76256..58d0eadae7 100644
--- a/windows/manage/manage-wifi-sense-in-enterprise.md
+++ b/windows/manage/manage-wifi-sense-in-enterprise.md
@@ -2,7 +2,7 @@
title: Manage Wi-Fi Sense in your company (Windows 10)
description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places.
ms.assetid: 1845e00d-c4ee-4a8f-a5e5-d00f2735a271
-keywords: ["WiFi Sense", "Shared networks"]
+keywords: ["WiFi Sense", "automatically connect to wi-fi", "wi-fi hotspot connection"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -15,25 +15,19 @@ author: eross-msft
- Windows 10
- Windows 10 Mobile
-Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.
+Wi-Fi Sense learns about open Wi-Fi hotspots your Windows PC or Windows phone connects to by collecting information about the network, like whether the open Wi-Fi network has a high-quality connection to the Internet. By using that information from your device and from other Wi-Fi Sense customers' devices too, Wi-Fi Sense builds a database of these high-quality networks. When you’re in range of one of these Wi-Fi hotspots, you automatically get connected to it.
The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.
-
**Note**
Wi-Fi Sense isn’t available in all countries or regions.
+
+**Note**
Wi-Fi Sense isn’t available in all countries or regions.
## How does Wi-Fi Sense work?
-Wi-Fi Sense connects your employees to the available Wi-Fi networks, including:
-
-- **Open Wi-Fi networks.** Wi-Fi Sense uses crowdsourcing to find the networks that other Windows users are connected to. Typically, these are the open (no password required) Wi-Fi hotspots you see when you’re out and about.
-
-- **Shared Wi-Fi networks.** Wi-Fi Sense uses the Wi-Fi networks that your employee shares with Facebook friends, Outlook.com contacts, or Skype contacts. Sharing doesn’t happen automatically; an employee must connect to a network, enter the network password, and then choose the **Share network with my contacts** box before the network is shared.
-
-**Important**
Wi-Fi Sense lets your employees share your network access with their contacts, without telling their contacts the actual network password. Should the contact want to share your network with another contact, he or she would have to share the network directly, by providing the password and clicking to share the network.
-
-Employees can't share network info with their contacts for any company network using the IEEE 802.1X protocol.
+Wi-Fi Sense connects your employees to open Wi-Fi networks. Typically, these are the open (no password required) Wi-Fi hotspots you see when you’re out and about.
## How to manage Wi-Fi Sense in your company
In a company environment, you will most likely deploy Windows 10 to your employees' PCs using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense.
-
**Important**
Turning off Wi-Fi Sense also turns off all related features, including: connecting automatically to open hotspots, connecting automatically to networks shared by contacts, and sharing networks with contacts.
+
+**Important**
Turning off Wi-Fi Sense stops employees from connecting automatically to open hotspots.
### Using Group Policy (available starting with Windows 10, version 1511)
You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor.
@@ -75,38 +69,20 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by
Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910).
### How employees can change their own Wi-Fi Sense settings
-If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn the settings on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then changing one or both of these settings under **Wi-Fi Sense**:
+If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**.
-- Connect to suggested open hotspots
+
-- Connect to networks shared by my contacts
+**Important**
The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means:
- 
+The **Connect to networks shared by my contacts** setting will still appear in **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings** on your PC and in **Settings > Network & wireless > Wi‑Fi > Wi‑Fi Sense** on your phone. However, this setting will have no effect now. Regardless of what it’s set to, networks won’t be shared with your contacts. Your contacts won’t be connected to networks you’ve shared with them, and you won’t be connected to networks they’ve shared with you.
-## Important considerations
-Whether to allow your employees to share your password-protected Wi-Fi networks with their contacts to give them Internet access is completely up to you. However, if you decide to allow it, you should consider the following important info.
+Even if you selected **Automatically connect to networks shared by your contacts** when you first set up your Windows 10 device, you still won’t be connected to networks your contacts have shared with you.
-### Network considerations
-- Wi-Fi Sense is designed to block contacts given Internet access through your password-protected network from reaching your intranet sites and other devices or files on the shared network.
-
-- Network info can only be shared with contacts using Wi-Fi Sense on PCs running Windows 10 or phones running Windows 10 Mobile. Wi-Fi Sense won’t work with any other operating system.
-
-### Security considerations
-- Your employees must be connected using a Microsoft account to use Wi-Fi Sense.
-
-- Your employees can’t pick individual contacts to share with. Instead, they must pick a group of contacts, such as their Skype contacts. In this case, all of the employee’s Skype contacts will be able to access the shared network.
-
-- Wi-Fi Sense is designed to block contacts from seeing the Wi-Fi network password. For networks you choose to share access to, the password is sent over an encrypted connection, stored in an encrypted file on a Microsoft server, and then sent over an HTTPS connection to the contacts' PC or phone if they use Wi-Fi Sense.
-
-- Access is only shared with your employee’s contacts. Wi-Fi Sense doesn't share networks with the contact's contacts. Should the contact want to share your network with another contact, he or she would have to share the network directly, by providing the password and clicking to share the network.
-
-### Sharing considerations
-- Employees can't share network info with their contacts for any company network using the IEEE 802.1X protocol.
-
-- Your employees can pick which Wi-Fi networks they want to share. The first time the employee connects to a password-protected Wi-Fi network, they’re presented with an option to share the network and to pick the contacts that should be given the info.
+If you select the **Share network with my contacts** check box the first time you connect to a new network, the network won’t be shared.
## Related topics
-- [Wi-Fi Sense FAQ](http://go.microsoft.com/fwlink/p/?LinkId=620911)
+- [Wi-Fi Sense and Privacy](http://go.microsoft.com/fwlink/p/?LinkId=620911)
- [How to configure Wi-Fi Sense on Windows 10 in an enterprise](http://go.microsoft.com/fwlink/p/?LinkId=620959)
diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md
index 32c891b331..cc81d0801d 100644
--- a/windows/manage/set-up-a-device-for-anyone-to-use.md
+++ b/windows/manage/set-up-a-device-for-anyone-to-use.md
@@ -74,7 +74,9 @@ A Universal Windows app is built on the Universal Windows Platform (UWP), which
-
+ ## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md
index 0e347899ad..e2155e0da8 100644
--- a/windows/manage/windows-10-mobile-and-mdm.md
+++ b/windows/manage/windows-10-mobile-and-mdm.md
@@ -1107,9 +1107,6 @@ Table 19. Microsoft Edge settings for Windows 10 Mobile
| Allow Search Suggestions in Address Bar | Whether search suggestions are shown in the address bar |
| Allow SmartScreen | Whether SmartScreen Filter is enabled |
| First Run URL | The URL to open when a user launches Microsoft Edge for the first time |
-| Include Sites Bypassing Proxy In Intranet Sites | Whether websites that bypass the proxy server are able to use the Intranet security zone |
-| Include UNC Paths In Intranet Sites | Whether URL paths can represent Universal Naming Convention (UNC) paths in the Intranet security zone |
-| Intranet Sites | A list of the websites that are in the Intranet security zone |
| Prevent Smart Screen Prompt Override For Files | Whether users can override the SmartScreen Filter warnings about downloading unverified files |
diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md
index 262e5704c5..a8a36b3268 100644
--- a/windows/manage/working-with-line-of-business-apps.md
+++ b/windows/manage/working-with-line-of-business-apps.md
@@ -41,7 +41,7 @@ What you'll have to set up:
- LOB publishers need to have an app in the Store, or have an app ready to submit to the Store.
-### Add an LOB publisher (admin)
+### Add an LOB publisher (Store for Business Admin)
For developers within your own organization, or ISVs you're working with to create LOB apps, you'll need to invite them to become a LOB publisher.
@@ -49,7 +49,8 @@ For developers within your own organization, or ISVs you're working with to crea
1. Sign in to the [Windows Store for Business]( http://go.microsoft.com/fwlink/p/?LinkId=623531).
2. Click **Settings**, and then choose **LOB publishers**.
-3. On the Line-of business publishers page, click **Add** to complete a form and send an email invitation to a developer.
+3. On the Line-of business publishers page, click **Add** to complete a form and send an email invitation to a developer.
+**Note** This needs to be the email address listed in contact info for the developer account.
### Submit apps (LOB publisher)
diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md
index 51db604bd5..a188d6d0a1 100644
--- a/windows/plan/TOC.md
+++ b/windows/plan/TOC.md
@@ -9,6 +9,7 @@
### [Integration with management solutions](integration-with-management-solutions-.md)
## [Guidance for education environments](windows-10-guidance-for-education-environments.md)
### [Chromebook migration guide](chromebook-migration-guide.md)
+### [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Windows To Go: feature overview](windows-to-go-overview.md)
### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
index 82a16df6da..7d8965c6d6 100644
--- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
@@ -13,13 +13,19 @@ author: TrudyHa
This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## May 2016
+
+
+| New or changed topic | Description |
+|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | New|
+
## December 2015
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New |
-
## November 2015
diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md
index e56979fdef..50915dc54d 100644
--- a/windows/plan/chromebook-migration-guide.md
+++ b/windows/plan/chromebook-migration-guide.md
@@ -37,8 +37,6 @@ Before you can do any analysis or make decisions about which apps to migrate or
**Note**
The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
-
-
You can divide the apps into the following categories:
- **Apps installed and managed by the institution.** These apps are typically managed in the Apps section in the Google Admin Console. You can record the list of these apps in your app portfolio.
@@ -908,7 +906,7 @@ There are also a number of software vendors who provide software that helps auto
## Perform cloud services migration
-In the [Plan for cloud services migration](#plan-cloud-services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices.
+In the [Plan for cloud services migration](#plan-cloud-services) section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices.
Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected.
diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md
new file mode 100644
index 0000000000..53a866f3b8
--- /dev/null
+++ b/windows/plan/deploy-windows-10-in-a-school.md
@@ -0,0 +1,1264 @@
+---
+title: Deploy Windows 10 in a school (Windows 10)
+description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
+keywords: configure, tools, device, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: edu
+ms.sitesec: library
+author: craigash
+---
+
+# Deploy Windows 10 in a school
+
+
+**Applies to**
+
+- Windows 10
+
+This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
+
+## Prepare for school deployment
+
+Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. Just as with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school.
+
+### Plan a typical school configuration
+
+As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
+
+
+
+*Figure 1. Typical school configuration for this guide*
+
+Figure 2 shows the classroom configuration this guide uses.
+
+
+
+*Figure 2. Typical classroom configuration in a school*
+
+This school configuration has the following characteristics:
+- It contains one or more admin devices.
+- It contains two or more classrooms.
+- Each classroom contains one teacher device.
+- The classrooms connect to each other through multiple subnets.
+- All devices in each classroom connect to a single subnet.
+- All devices have high-speed, persistent connections to each other and to the Internet.
+- All teachers and students have access to Windows Store or Windows Store for Business.
+- All devices receive software updates from Intune (or another device management system).
+- You install a 64-bit version of Windows 10 on the admin device.
+- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
+- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
+- You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device.
+
+ **Note** In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
+- The devices use Azure AD in Office 365 Education for identity management.
+- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/).
+- Use [Intune](http://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](http://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices.
+- Each device supports a one-student-per-device or multiple-students-per-device scenario.
+- The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical.
+- To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot).
+- The devices can be a mixture of different Windows 10 editions, such as Windows 10 Home, Windows 10 Pro, and Windows 10 Education.
+
+Office 365 Education allows:
+
+- Students and faculty to use Microsoft Office Online to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser.
+- Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students.
+- Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, administration, and faculty.
+- Teachers to employ Sway to create interactive educational digital storytelling.
+- Students and faculty to use email and calendars, with mailboxes up to 50 GB per user.
+- Faculty to use advanced email features like email archiving and legal hold capabilities.
+- Faculty to help prevent unauthorized users from accessing documents and email by using Azure Rights Management.
+- Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center.
+- Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business or Skype.
+- Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business.
+- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites.
+- Students and faculty to use Office 365 Video to manage videos.
+- Students and faculty to use Yammer to collaborate through private social networking.
+- Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
+
+For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://products.office.com/en-us/academic).
+
+## How to configure a school
+
+Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge.
+
+The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
+
+You can use MDT as a stand-alone tool or integrate it with Microsoft System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments.
+
+MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices.
+
+LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
+
+The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
+
+The configuration process requires the following devices:
+
+- **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device.
+- **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
+- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them.
+
+The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3:
+
+1. Prepare the admin device for use, which includes installing the Windows ADK and MDT.
+2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school.
+3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration).
+4. On the admin device, create and configure a Windows Store for Business portal.
+5. On the admin device, prepare for management of the Windows 10 devices after deployment.
+6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
+7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
+
+
+
+*Figure 3. How school configuration works*
+
+Each of the steps illustrated in Figure 3 directly correspond to the remaining high-level sections in this guide.
+
+### Summary
+
+In this section, you looked at the final configuration of your individual classrooms and the school as a whole upon completion of this guide. You also learned the high-level steps you need to perform to deploy the faculty and student devices in your school.
+
+## Prepare the admin device
+
+Now, you’re ready to prepare the admin device for use in the school. This process includes installing the Windows ADK, installing the MDT, and creating the MDT deployment share.
+
+### Install the Windows ADK
+
+The first step in preparing the admin device is to install the Windows ADK. The Windows ADK contains the deployment tools that MDT uses, including the Windows Preinstallation Environment (Windows PE), the Windows User State Migration Tool (USMT), and Deployment Image Servicing and Management.
+
+When you install the Windows ADK on the admin device, select the following features:
+
+- Deployment tools
+- Windows Preinstallation Environment (Windows PE)
+- User State Migration Tool (USMT)
+
+For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK).
+
+### Install MDT
+
+Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment and is a free tool available directly from Microsoft.
+
+You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems.
+
+**Note** If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system.
+
+For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT).
+
+Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices.
+
+### Create a deployment share
+
+MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media).
+
+For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare).
+
+### Summary
+
+In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process.
+
+## Create and configure Office 365
+
+Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business.
+
+As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](http://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx).
+
+### Select the appropriate Office 365 Education license plan
+
+Complete the following steps to select the appropriate Office 365 Education license plan for your school:
+
+
+- Determine the number of faculty members and students who will use the classroom.
Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.
+
+- Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
+
+*Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans*
+
+
+
+
+
+
+
+
+
+
+
+| Standard | - Less expensive than Office 365 ProPlus
- Can be run from any device
- No installation necessary
| - Must have an Internet connection to use it
- Does not support all the features found in Office 365 ProPlus
|
+| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
- Supports full set of Office features
| - Requires installation
- Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)
|
+
+
+
+
+The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
+
+- Determine whether students or faculty need Azure Rights Management.
You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management](https://technet.microsoft.com/library/jj585024.aspx).
+- Record the Office 365 Education license plans needed for the classroom in Table 2.
+
+*Table 2. Office 365 Education license plans needed for the classroom*
+
+
+
+
+
+
+
+
+
+
+ | Office 365 Education for students |
+ | Office 365 Education for faculty |
+ | Azure Rights Management for students |
+ | Azure Rights Management for faculty |
+
+
+
+You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
+
+### Create a new Office 365 Education subscription
+
+To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions.
+
+**Note** If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains).
+
+#### To create a new Office 365 subscription
+
+1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar.
+
+ **Note** If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:
+ - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**.
+ - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**.
+
+2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account.
+3. Click the hyperlink in the email in your school email account.
+4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription.
+
+### Add domains and subdomains
+
+Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains.
+
+#### To add additional domains and subdomains
+
+1. In the Office 365 admin center, in the list view, click **DOMAINS**.
+2. In the details pane, above the list of domains, on the menu bar, click **Add domain**.
+3. In the Add a New Domain in Office 365 Wizard, on the **Verify domain wizard** page, click **Let’s get started**.
+4. On the **Verify domain** wizard page, in the **Enter a domain you already own** box, type your domain name, and then click **Next**.
+5. Sign in to your domain name management provider (for example, Network Solutions or GoDaddy), and then complete the steps for your provider.
+6. Repeat these steps for each domain and subdomain you want faculty and students to use for your institution.
+
+### Configure automatic tenant join
+
+To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
+
+**Note** By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
+
+Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
+
+- If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant.
+- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it.
+
+You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365.
+
+**Note** You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
+
+All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+
+*Table 3. Windows PowerShell commands to enable or disable Automatic Tenant Join*
+
+
+| Action | Windows PowerShell command |
+|------- |----------------------------|
+| Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`|
+| Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`|
+
+**Note** If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+
+### Disable automatic licensing
+
+To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval.
+
+**Note** By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
+
+Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+
+*Table 4. Windows PowerShell commands to enable or disable automatic licensing*
+
+| Action | Windows PowerShell command|
+| -------| --------------------------|
+| Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true`|
+|Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false`|
+
+### Enable Azure AD Premium
+
+When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium.
+
+Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access).
+
+The Azure AD Premium features that are not in Azure AD Basic include:
+
+- Allow designated users to manage group membership
+- Dynamic group membership based on user metadata
+- Multifactor authentication (MFA)
+- Identify cloud apps that your users run
+- Automatic enrollment in a mobile device management (MDM) system (such as Intune)
+- Self-service recovery of BitLocker
+- Add local administrator accounts to Windows 10 devices
+- Azure AD Connect health monitoring
+- Extended reporting capabilities
+
+You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users.
+
+You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process.
+
+For more information about:
+
+- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/).
+- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3).
+
+### Summary
+You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365.
+
+## Select an Office 365 user account–creation method
+
+
+Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts:
+
+- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain.
+- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain.
+
+### Method 1: Automatic synchronization between AD DS and Azure AD
+
+In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
+
+**Note** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396).
+
+
+
+*Figure 4. Automatic synchronization between AD DS and Azure AD*
+
+For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide.
+
+### Method 2: Bulk import into Azure AD from a .csv file
+
+In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
+
+
+
+*Figure 5. Bulk import into Azure AD from other sources*
+
+To implement this method, perform the following steps:
+
+1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires.
+2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section.
+
+### Summary
+
+In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
+
+## Integrate on-premises AD DS with Azure AD
+
+You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
+
+**Note** If your institution does not have an on-premises AD DS domain, you can skip this section.
+
+### Select synchronization model
+
+Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect.
+
+You can deploy the Azure AD Connect tool by using one of the following methods:
+
+- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+
+ 
+
+ *Figure 6. Azure AD Connect on premises*
+
+- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
+
+ 
+
+ *Figure 7. Azure AD Connect in Azure*
+
+This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx).
+
+### Deploy Azure AD Connect on premises
+
+In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution.
+
+#### To deploy AD DS and Azure AD synchronization
+
+1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/).
+2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account.
+3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect).
+4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features).
+
+Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
+
+### Verify synchronization
+
+Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console.
+
+#### To verify AD DS and Azure AD synchronization
+
+1. Open https://portal.office.com in your web browser.
+2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365.
+3. In the list view, expand **USERS**, and then click **Active Users**.
+4. In the details pane, view the list of users. The list of users should mirror the users in AD DS.
+5. In the list view, click **GROUPS**.
+6. In the details pane, view the list of security groups. The list of users should mirror the security groups in AD DS.
+7. In the details pane, double-click one of the security groups.
+8. The list of security group members should mirror the group membership for the corresponding security group in AD DS.
+9. Close the browser.
+
+Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
+
+### Summary
+
+In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly.
+
+## Bulk-import user and group accounts into AD DS
+
+You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS.
+
+**Note** If your institution doesn’t have an on-premises AD DS domain, you can skip this section.
+
+### Select the bulk import method
+
+Several methods are available to bulk-import user accounts into AD DS domains. Table 5 lists the methods that the Windows Server operating system supports natively. In addition, you can use partner solutions to bulk-import user and group accounts into AD DS.
+
+*Table 5. AD DS bulk-import account methods*
+
+|Method | Description and reason to select this method |
+|-------| ---------------------------------------------|
+|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).|
+|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+
+### Create a source file that contains the user and group accounts
+
+After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods.
+
+*Table 6. Source file format for each bulk import method*
+
+| Method | Source file format |
+|--------| -------------------|
+|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).|
+| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+
+### Import the user accounts into AD DS
+
+With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method.
+
+**Note** Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts.
+
+For more information about how to import user accounts into AD DS by using:
+
+- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).
+- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).
+- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
+
+### Summary
+
+In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
+
+## Bulk-import user accounts into Office 365
+
+You can bulk-import user and group accounts directly into Office 365, reducing the time and effort required to create users. First, you bulk-import the user accounts into Office 365. Then, you create the security groups for your institution. Finally, you create the email distribution groups your institution requires.
+
+### Create user accounts in Office 365
+
+Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
+
+You can use the Office 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
+
+The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
+
+For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
+
+**Note** If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
+
+The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365.
+
+### Create Office 365 security groups
+
+Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
+
+**Note** If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+
+For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+
+You can add and remove users from security groups at any time.
+
+**Note** Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect.
+
+### Create email distribution groups
+
+Microsoft Exchange Online uses an email distribution group as a single email recipient for multiple users. For example, you could create an email distribution group that contains all students. Then, you could send a message to the email distribution group instead of individually addressing the message to each student.
+
+You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group.
+
+**Note** Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps.
+
+For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+
+### Summary
+
+Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
+
+## Assign user licenses for Azure AD Premium
+
+Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost.
+
+You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users.
+
+For more information about:
+
+- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/).
+- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
+
+## Create and configure a Windows Store for Business portal
+
+Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can do the following:
+
+- Find and acquire Windows Store apps.
+- Manage apps, app licenses, and updates.
+- Distribute apps to your users.
+
+For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview).
+
+The following section shows you how to create a Windows Store for Business portal and configure it for your school.
+
+### Create and configure your Windows Store for Business portal
+
+To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator.
+
+#### To create and configure a Windows Store for Business portal
+
+1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar.
+2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.
**Note** If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
+4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**
+5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**.
+
+After you create the Windows Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal.
+
+*Table 7. Menu selections to configure Windows Store for Business settings*
+
+| Menu selection | What you can do in this menu |
+|---------------| -------------------|
+|Account information|Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).|
+|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).|
+|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).|
+|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).|
+|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).|
+|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).|
+|Private store|Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).|
+
+### Find, acquire, and distribute apps in the portal
+
+Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business.
+
+**Note** Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business.
+
+You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.
+
+For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business).
+
+### Summary
+
+At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users.
+
+## Plan for deployment
+
+You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process.
+
+### Select the operating systems
+
+Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of:
+
+- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10.
+- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10.
+
+Depending on your school’s requirements, you may need any combination of the following Windows 10 editions:
+
+- **Windows 10 Home**. Use this operating system to upgrade existing eligible institution-owned and personal devices that are running Windows 8.1 Home or Windows 7 Home to Windows 10 Home.
+- **Windows 10 Pro**. Use this operating system to:
+ - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro.
+ - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration.
+- **Windows 10 Education**. Use this operating system to:
+ - Upgrade institution-owned devices to Windows 10 Education.
+ - Deploy new instances of Windows 10 Education so that new devices have a known configuration.
+
+**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home.
+
+One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
+
+**Note** On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
+
+Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture.
+
+### Select an image approach
+
+A key operating system image decision is whether to use a “thin” or “thick” image. *Thin images* contain only the operating system, and MDT installs the necessary device drivers and apps after the operating system has been installed. *Thick images* contain the operating system, “core” apps (such as Office), and device drivers. With thick images, MDT installs any device drivers and apps not included in the thick image after the operating system has been installed.
+
+The advantage to a thin image is that the final deployment configuration is dynamic, and you can easily change the configuration without having to capture another image. The disadvantage of a thin image is that it takes longer to complete the deployment.
+
+The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image.
+
+### Select a method to initiate deployment
+
+The MDT deployment process is highly automated, requiring minimal information to deploy or upgrade Windows 10, but you must manually initiate the MDT deployment process. To do so, use the method listed in Table 8 that best meets the needs of your institution.
+
+*Table 8. Methods to initiate MDT deployment*
+
+
+
+
+
+
+
+
+
+
+
+
+| Windows Deployment Services |
+This method:
+
+- Uses diskless booting to initiate MDT deployment.
+- Works only with devices that support PXE boot.
+- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
+- Deploys images more slowly than when using local media.
+- Requires that you deploy a Windows Deployment Services server.
+
+
+Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server. |
+
+
+
+| Bootable media |
+This method:
+
+- Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
+- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
+- Deploys images more slowly than when using local media.
+- Requires no additional infrastructure.
+
+
+Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media. |
+
+
+
+| MDT deployment media |
+This method:
+
+- Initiates MDT deployment by booting from a local USB hard disk.
+- Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
+- Deploys images more quickly than network-based methods do.
+- Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
+
+
+Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk. |
+
+
+
+
+### Summary
+
+At the end of this section, you should know the Windows 10 editions and processor architecture that you want to deploy (and will import later in the process). You also determined whether you want to use thin or thick images. Finally, you selected the method for initiating your LTI deployment. Now, you can prepare for Windows 10 deployment.
+
+## Prepare for deployment
+
+To deploy Windows 10 to devices, using the LTI deployment method in MDT. In this section, you prepare your MDT environment and Windows Deployment Services for Windows 10 deployment.
+
+### Configure the MDT deployment share
+
+The first step in preparation for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 9 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 9.
+
+*Table 9. Tasks to configure the MDT deployment share*
+
+
+
+
+
+
+
+
+
+
+
+| 1. Import operating systems |
+Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench). |
+
+
+
+| 2. Import device drives |
+Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
+
+Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench).
+
+ |
+
+
+
+| 3. Create MDT applications for Windows Store apps |
+Create an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.
+
+Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.
+
+If you have Intune, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.
+
+In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:
+
+- Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/sideload-apps-in-windows-10).
+- Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+
+
+
+ |
+
+
+
+| 4. Create MDT applications for Windows desktop apps
+ |
+You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
+
+To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396).
+
+If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
+
+**Note** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+
+ |
+
+
+
+| 5. Create task sequences.
+ |
+You must create a separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64 bit versions of Windows 10. To do so, you must create task sequences that will:
+
+- Deploy Windows 10 Education 64-bit to devices.
+- Deploy Windows 10 Education 32-bit to devices.
+- Upgrade existing devices to Windows 10 Education 64-bit.
+- Upgrade existing devices to Windows 10 Education 32-bit.
+
+
+Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
+
+ |
+
+
+
+| 6. Update the deployment share.
+ |
+Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
+
+For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench). |
+
+
+
+
+### Configure Window Deployment Services for MDT
+
+You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers.
+
+#### To configure Windows Deployment Services for MDT
+
+1. Set up and configure Windows Deployment Services.
Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources:
+
+ - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx)
+ - The Windows Deployment Services Help file, included in Windows Deployment Services
+ - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx)
+
+2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
+
+### Summary
+
+Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution.
+
+## Prepare for device management
+
+Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant.
+
+### Select the management method
+
+If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is virtually impossible as the number of devices in the school increases.
+
+For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution.
+
+*Table 10. School management methods*
+
+
+
+
+
+
+
+
+
+
+
+
+| Group Policy |
+
+Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:
+
+- Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
+- Want more granular control of device and user settings.
+- Have an existing AD DS infrastructure.
+- Typically manage on-premises devices.
+- Can manage a required setting only by using Group Policy.
+
+
+The advantages of this method include:
+
+- No cost beyond the AD DS infrastructure.
+- A larger number of settings (compared to Intune).
+
+The disadvantages of this method are:
+
+- Can only manage domain-joined (institution-owned devices).
+- Requires an AD DS infrastructure (if the institution does not have AD DS already).
+- Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess).
+
+ |
+
+
+
+| Intune |
+Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
+Select this method when you:
+
+- Want to manage institution-owned and personal devices (does not require that the device be domain joined).
+- Don’t require the level of granular control over device and user settings (compared to Group Policy).
+- Don’t have an existing AD DS infrastructure.
+- Need to manage devices regardless of where they are (on or off premises).
+- Can manage a required setting only by using Intune.
+
+
+The advantages of this method are:
+
+- You can manage institution-owned and personal devices.
+- It doesn’t require that devices be domain joined.
+- It doesn’t require any on-premises infrastructure.
+- It can manage devices regardless of their location (on or off premises).
+
+
+The disadvantages of this method are:
+
+- Carries an additional cost for subscription.
+- Doesn’t have a granular level control over device and user settings (compared to Group Policy).
+
+
+ |
+
+
+
+
+
+### Select Microsoft-recommended settings
+
+Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
+
+*Table 11. Recommended settings for educational institutions*
+
+
+
+
+
+
+
+
+
+
+
+
+
+| Use of Microsoft accounts |
+You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
+**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
+**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.
+**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Restrict local administrator accounts on the devices |
+Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).
+**Intune**. Not available.
+ |
+
+
+
+| Restrict the local administrator accounts on the devices |
+Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).
+**Intune**. Not available.
+ |
+
+
+
+| Manage the built-in administrator account created during device deployment |
+When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.
+**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx).
+**Intune**. Not available.
+ |
+
+
+
+| Control Windows Store access |
+You can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.
+**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).
+**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of Remote Desktop connections to devices |
+Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
+**Group Policy**. You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
+**Intune**. Not available.
+ |
+
+
+
+| Use of camera |
+A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
+**Group Policy**. Not available.
+**Intune**. You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of audio recording |
+Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
+**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx).
+**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of screen capture |
+Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
+**Group Policy**. Not available.
+**Intune**. You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of location services |
+Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
+**Group Policy**. You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors.
+**Intune**. You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Changing wallpaper |
+Displaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.
+**Group Policy**. You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.
+**Intune**. Not available.
+ |
+
+
+
+
+
+### Configure settings by using Group Policy
+
+Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+
+For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx).
+
+#### To configure Group Policy settings
+
+1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx).
+2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx).
+3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx).
+
+### Configure settings by using Intune
+
+Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+
+For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/en-us/intune/).
+
+#### To configure Intune settings
+
+1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune).
+2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646962.aspx).
+3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/en-us/library/dn646984.aspx).
+4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646959.aspx).
+
+### Deploy apps by using Intune
+
+You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution.
+
+For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/).
+
+### Summary
+
+In this section, you prepared your institution for device management. You determined whether you want to use Group Policy or Intune to manage your devices. You identified the configuration settings that you want to use to manage your users and devices. Finally, you configured the Group Policy and Intune settings in Group Policy and Intune, respectively.
+
+## Deploy Windows 10 to devices
+
+You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10.
+
+### Prepare for deployment
+
+Prior to deployment of Windows 10, ensure that you complete the tasks listed in Table 12. Most of these tasks are already complete, but use this step to make sure.
+
+*Table 12. Deployment preparation checklist*
+
+|Task | |
+| ---| --- |
+| |The target devices have sufficient system resources to run Windows 10. |
+| | Identify the necessary devices drivers, and import them to the MDT deployment share.|
+| | Create an MDT application for each Windows Store and Windows desktop app.|
+| | Notify the students and faculty about the deployment.|
+
+### Perform the deployment
+
+Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
+
+**Note** To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx).
+
+In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
+
+#### To deploy Windows 10
+
+1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
+2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Running%20the%20Deployment%20Wizard).
+
+### Set up printers
+
+After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section.
+
+**Note** If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section.
+
+#### To set up printers
+
+1. Review the printer manufacturer’s instructions for installing the printer drivers.
+2. On the admin device, download the printer drivers.
+3. Copy the printer drivers to a USB drive.
+4. On a device, use the same account you used to set up Windows 10 in the [Perform the deployment](#perform-the-deployment) section to sign in to the device.
+5. Insert the USB drive in the device.
+6. Follow the printer manufacturer’s instructions to install the printer drivers from the USB drive.
+7. Verify that the printer drivers were installed correctly by printing a test page.
+8. Complete steps 1–8 for each printer.
+
+### Verify deployment
+
+As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following:
+
+- The device can connect to the Internet and view the appropriate web content in Microsoft Edge.
+- Windows Update is active and current with software updates.
+- Windows Defender is active and current with malware signatures.
+- The SmartScreen Filter is active.
+- All Windows Store apps are properly installed and updated.
+- All Windows desktop apps are properly installed and updated.
+- Printers are properly configured.
+
+When you have verified that the first device is properly configured, you can move to the next device and perform the same steps.
+
+### Summary
+
+You prepared the devices for deployment by verifying that they have adequate system resources and that the resources in the devices have corresponding Windows 10 device drivers. You performed device deployment over the network or by using local MDT media. Next, you configured the appropriate printers on the devices. Finally, you verified that the devices are properly configured and ready for use.
+
+## Maintain Windows devices and Office 365
+
+After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule:
+
+- **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware.
+- **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students.
+- **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration.
+
+Table 13 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
+
+*Table 13. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Verify that Windows Update is active and current with operating system and software updates.
+For more information about completing this task when you have:
+
+- Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
+- Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
+- Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx?f=255&MSPPError=-2147217396).
+- Neither Intune, Group Policy, or WSUS, see [Update Windows 10](http://windows.microsoft.com/en-id/windows-10/update-windows-10)
+
+ |
+X |
+X |
+X |
+
+
+
+Verify that Windows Defender is active and current with malware signatures.
+For more information about completing this task, see [Turn Windows Defender on or off](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03). |
+X |
+X |
+X |
+
+
+
+Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
+For more information about completing this task, see [How do I find and remove a virus?](http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus)
+ |
+X |
+X |
+X |
+
+
+
+Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
+For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing). |
+ |
+X |
+X |
+
+
+
+Refresh the operating system and apps on devices.
+For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+
+ |
+ |
+X |
+X |
+
+
+
+Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.
+For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+ |
+ |
+X |
+X |
+
+
+
+Install new or update existing Windows Store apps that are used in the curriculum.
+Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.
+You can also deploy Windows Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+ |
+ |
+X |
+X |
+
+
+
+Remove unnecessary user accounts (and corresponding licenses) from Office 365.
+For more information about how to:
+
+- Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e?ui=en-US&rs=en-US&ad=US).
+- Unassign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
+
+
+ |
+ |
+X |
+X |
+
+
+
+Add new accounts (and corresponding licenses) to Office 365.
+For more information about how to:
+
+- Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
+- Assign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
+
+ |
+ |
+X |
+X |
+
+
+
+Create or modify security groups and manage group membership in Office 365.
+For more information about how to:
+
+- Create or modify security groups, see [View, create, and delete Groups in the Office 365 admin center](https://support.office.com/en-us/article/View-create-and-delete-groups-in-the-Office-365-admin-center-a6360120-2fc4-46af-b105-6a04dc5461c7).
+- Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).
+
+
+ |
+ |
+X |
+X |
+
+
+
+Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
+For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Manage Distribution Groups](https://technet.microsoft.com/library/bb124513.aspx) and [Groups in Exchange Online and SharePoint Online](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB#__groups_in_exchange).
+
+ |
+ |
+X |
+X |
+
+
+
+Install new student devices
+Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+
+ |
+ |
+ |
+X |
+
+
+
+
+
+### Summary
+
+Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified.
+
+##Related resources
+
+- [Try it out: Windows 10 deployment (for educational institutions)](http://go.microsoft.com/fwlink/p/?LinkId=623254)
+- [Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255)
+- [Chromebook migration guide](http://go.microsoft.com/fwlink/p/?LinkId=623249)
+
+
diff --git a/windows/plan/images/deploy-win-10-school-figure1.png b/windows/plan/images/deploy-win-10-school-figure1.png
new file mode 100644
index 0000000000..66113dcce1
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure1.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure2.png b/windows/plan/images/deploy-win-10-school-figure2.png
new file mode 100644
index 0000000000..0227f8dbaa
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure2.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure3.png b/windows/plan/images/deploy-win-10-school-figure3.png
new file mode 100644
index 0000000000..1b39b5cc14
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure3.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure4.png b/windows/plan/images/deploy-win-10-school-figure4.png
new file mode 100644
index 0000000000..09552a448a
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure4.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure5.png b/windows/plan/images/deploy-win-10-school-figure5.png
new file mode 100644
index 0000000000..550386f1ce
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure5.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure6.png b/windows/plan/images/deploy-win-10-school-figure6.png
new file mode 100644
index 0000000000..09552a448a
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure6.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure7.png b/windows/plan/images/deploy-win-10-school-figure7.png
new file mode 100644
index 0000000000..8e7581007a
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure7.png differ
diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md
index 42b4c473fa..1133a6ea3b 100644
--- a/windows/whats-new/user-account-control.md
+++ b/windows/whats-new/user-account-control.md
@@ -19,7 +19,7 @@ User Account Control (UAC) helps prevent malware from damaging a computer and he
You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
-For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](https://technet.microsoft.com/library/dd835564.aspx#BKMK_AdminApprovalMode).
+For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](../keep-secure/user-account-control-group-policy-and-registry-key-settings.md).
In Windows 10, User Account Control has added some improvements.