testing what's new node

2025-05-12 13:27:23 +00:00 · 2016-03-07 12:50:53 -08:00 · 2016-03-07 12:50:53 -08:00 · c68880c52b
commit c68880c52b
parent d2f796097e
25 changed files with 2212 additions and 6 deletions
--- a/windows/index.md
+++ b/windows/index.md
@ -14,15 +14,15 @@ This library provides the core content that IT pros need to evaluate, plan, depl
 ## In this library
-[What's new in Windows 10](../whats-new/what-s-new-in-windows-10.md)
+[What's new in Windows 10](../windows/whats-new/what-s-new-in-windows-10.md)
-[Plan for Windows 10 deployment](../plan/planning-for-windows-10-deployment.md)
+[Plan for Windows 10 deployment](../windows/plan/planning-for-windows-10-deployment.md)
-[Deploy Windows 10](../deploy/deploy-windows-10.md)
+[Deploy Windows 10](../windows/deploy/deploy-windows-10.md)
-[Keep Windows 10 secure](../keep-secure/keep-windows-secure.md)
+[Keep Windows 10 secure](../windows/keep-secure/keep-windows-secure.md)
-[Manage and update Windows 10](../manage/manage-and-update-windows-10.md)
+[Manage and update Windows 10](../windows/manage/manage-and-update-windows-10.md)
 ## Related topics
--- a/windows/whats-new/TOC.md
+++ b/windows/whats-new/TOC.md
@ -1 +1,20 @@
-#[What's new](placeholder.md)
+# [What's new in Windows 10](what-s-new-in-windows-10.md)
 ## [Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md)
 ## [AppLocker](applocker.md)
 ## [BitLocker](bitlocker.md)
 ## [Browser: Microsoft Edge and Internet Explorer 11](microsoft-edge-and-internet-explorer-11.md)
 ## [Credential Guard](credential-guard.md)
 ## [Device Guard](device-guard-overview.md)
 ## [Enterprise data protection (EDP)](enterprise-data-protection-overview.md)
 ## [Enterprise management for Windows 10 devices](device-management.md)
 ## [Lockdown features from Windows Embedded Industry 8.1](lockdown-features-from-windows-embedded-industry-8-1.md)
 ## [Microsoft Passport](microsoft-passport.md)
 ## [Provisioning packages](provisioning-and-upgrade.md)
 ## [Security](security.md)
 ## [Security auditing](security-auditing.md)
 ## [Trusted Platform Module](trusted-platform-module.md)
 ## [User Account Control](user-account-control.md)
 ## [Windows spotlight on the lock screen](windows-spotlight.md)
 ## [Windows Store for Business overview](business-store-for-windows-10.md)
 ## [Windows Update for Business](windows-update-for-busines.md)
--- a/windows/whats-new/applocker.md
+++ b/windows/whats-new/applocker.md
@ -0,0 +1,41 @@
 ---
 title: What's new in AppLocker? (Windows 10)
 description: AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
 ms.assetid: 6F836FF6-7794-4E7B-89AA-1EABA1BF183F
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # What's new in AppLocker?
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
 In Windows 10, AppLocker has added some improvements.
 ## New features in Windows 10
 -   A new parameter was added to the [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
 -   A new [AppLocker](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
 -   You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx).
 [Learn how to manage AppLocker within your organization](../keep-secure/applocker-overview-server.md).
--- a/windows/whats-new/bitlocker.md
+++ b/windows/whats-new/bitlocker.md
@ -0,0 +1,60 @@
 ---
 title: What's new in BitLocker? (Windows 10)
 description: BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
 ms.assetid: 3F2DE365-68A1-4CDB-AB5F-C65574684C7B
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # What's new in BitLocker?
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
 ## New features in Windows 10, Version 1511
 -   **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
    It provides the following benefits:
    -   The algorithm is FIPS-compliant.
    -   Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
    **Note**  
    Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
 ## New features in Windows 10
 -   **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#BKMK_Encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
 -   **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
 -   **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the "Configure pre-boot recovery message and URL" section in [BitLocker Group Policy settings](../keep-secure/bitlocker-group-policy-settings.md).
 [Learn how to deploy and manage BitLocker within your organization](../keep-secure/bitlocker-overview-roletech-overview.md).
 ## Related topics
 [Trusted Platform Module](../keep-secure/trusted-platform-module-technology-overview.md)
--- a/windows/whats-new/business-store-for-windows-10.md
+++ b/windows/whats-new/business-store-for-windows-10.md
@ -0,0 +1,327 @@
 ---
 title: Windows Store for Business overview (Windows 10)
 description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps.
 ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
 ms.prod: W10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: TrudyHa
 ---
 # Windows Store for Business overview
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
 ## Features
 Organizations of any size can benefit from using the Store for Business provides:
 -   **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Businessare available to you, or you can integrate the Store for Businesswith management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
 -   **Bulk app acquisition** - Acquire apps in volume from the Store for Business.
 -   **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device.
 -   **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
    -   Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
    -   Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
    -   Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
 -   **Line-of-business apps** - Privately add and distribute your internal line-of-business apps using any of the distribution options.
 -   **App license management**: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
 -   **Up-to-date apps** - The Store for Business manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.
 ## Prerequisites
 You'll need this software to work with the Store for Business.
 ### Required
 -   IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.
 -   Employees using apps from Store for Business need Windows 10, Version 1511 running on a PC or mobile device.
 Microsoft Azure Active Directory (AD) accounts for your employees:
 -   Admins need Azure AD accounts to sign up for the Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
 -   Employees need Azure AD account when they access Store for Business content from Windows devices.
 -   If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
 -   For offline-licensed apps, Azure AD accounts are not required for employees.
 For more information on Azure AD, see [About Office 365 and Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](http://go.microsoft.com/fwlink/p/?LinkId=708611).
 ### Optional
 While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
 -   Need to integrate with Windows 10 management framework and Azure AD.
 -   Need to sync with the Store for Business inventory to distribute apps.
 ## How does the Store for Business work?
 ### Sign up!
 The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
 For more information, see [Sign up for the Store for Business](../manage/sign-up-for-windows-store-for-business.md).
 ### Set up
 After your admin signs up for the Store for Business, they can assign roles to other employees in your company. These are the roles and their permissions.
 <table>
 <colgroup>
 <col width="20%" />
 <col width="20%" />
 <col width="20%" />
 <col width="20%" />
 <col width="20%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Permission</th>
 <th align="left">Account settings</th>
 <th align="left">Acquire apps</th>
 <th align="left">Distribute apps</th>
 <th align="left">Device Guard signing</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>Admin</p></td>
 <td align="left"><p>X</p></td>
 <td align="left"><p>X</p></td>
 <td align="left"><p>X</p></td>
 <td align="left"></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Purchaser</p></td>
 <td align="left"></td>
 <td align="left"><p>X</p></td>
 <td align="left"><p>X</p></td>
 <td align="left"></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Device Guard signer</p></td>
 <td align="left"></td>
 <td align="left"></td>
 <td align="left"></td>
 <td align="left"><p>X</p></td>
 </tr>
 </tbody>
 </table>
 In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-in-the-windows-store-for-business.md).
 Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
 ### Get apps and content
 Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. For now, apps in the Store for Business are free. Over time, when paid apps are available, you’ll have more options for paying for apps.
 **App types** -- These app types are supported in the Store for Business:
 -   Universal Windows Platform apps
 -   Universal Windows apps, by device: Phone, Surface Hub, IOT devices , HoloLens
 Apps purchased from the Store for Business only work on Windows 10 devices.
 Line-of-business (LOB) apps are also supported via the Business store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization. These apps can be distributed using the distribution methods discussed in this topic. For more information, see Working with Line-of-Business apps.
 **App licensing model**
 The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
 For more information, see [Apps in the Store for Business](../manage/apps-in-the-windows-store-for-business.md#licensing_model).
 ### Distribute apps and content
 App distribution is handled through two channels, either through the Store for Business, or using a management tool. You can use either or both distribution methods in your organization.
 **Using the Store for Business** – Distribution options for the Store for Business:
 -   Email link – After purchasing an app, admins can send employees a link in an email message. Employees can click the link to install the app.
 -   Curate private store for all employees – A private store can include content you’ve purchased from the Store, and your line-of-business apps that you’ve submitted to the Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
 -   To use the options above users must be signed in with an Azure AD account on a Windows 10 device.
 **Using a management tool** – For larger organizations that might want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
 -   Scoped content distribution – Ability to scope content distribution to specific groups of employees.
 -   Install apps for employees – Employees are not responsible for installing apps. Management tool installs apps for employees.
 Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
 For more information, see [Distribute apps to your employees from the Store for Business](../manage/distribute-apps-to-your-employees-from-the-windows-store-for-business.md).
 ### Manage Store for Business settings and content
 Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory.
 **Manage Store for Business settings**
 -   Assign and change roles for employees or groups
 -   Device Guard signing
 -   Register a management server to deploy and install content
 -   Manage relationships with LOB publishers
 -   Manage offline licenses
 -   Update the name of your private store
 **Manage inventory**
 -   Assign app licenses to employees
 -   Reclaim and reassign app licenses
 -   Manage app updates for all apps, or customize updates for each app. Online apps will automatically update from the Store. Offline apps can be updated using a management server.
 -   Download apps for offline installs
 For more information, see [Manage settings in the Store for Business](../manage/manage-settings-in-the-windows-store-for-business.md) and [Manage apps](../manage/manage-apps.md).
 ## Supported markets
 Store for Business is currently available in these markets.
 -   Argentina
 -   Australia
 -   Austria
 -   Belgium (Dutch, French)
 -   Brazil
 -   Canada (English, French)
 -   Chile
 -   Columbia
 -   Croatia
 -   Czech Republic
 -   Denmark
 -   Finland
 -   France
 -   Germany
 -   Greece
 -   Hong Kong SAR
 -   Hungary
 -   India
 -   Indonesia
 -   Ireland
 -   Italy
 -   Japan
 -   Malaysia
 -   Mexico
 -   Netherlands
 -   New Zealand
 -   Norway
 -   Philippines
 -   Poland
 -   Portugal
 -   Romania
 -   Russia
 -   Singapore
 -   Slovakia
 -   South Africa
 -   Spain
 -   Sweden
 -   Switzerland (French, German)
 -   Taiwan
 -   Thailand
 -   Turkey
 -   Ukraine
 -   United Kingdom
 -   United States
 -   Vietnam
 ## ISVs and the Store for Business
 Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these app line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
 -   Admin invites devs to be LOB publishers for your organization. These devs can be internal devs, or external ISVs.
 -   LOB publishers accept the invitation, develop apps, and submits the app to the Windows Dev Center. LOB publishers use Enterprise associations when submitting the app to make the app exclusive to your organization.
 -   Admin adds the app to Store for Business inventory.
 Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
 For more information on line-of-business apps, see [Working with Line-of-Business apps](../manage/working-with-line-of-business-apps.md).
--- a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
+++ b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
@ -0,0 +1,109 @@
 ---
 title: Change history for What's new in Windows 10 (Windows 10)
 description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile.
 ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
 ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: TrudyHa
 ---
 # Change history for What's new in Windows 10
 This topic lists new and updated topics in the [What's new in Windows 10](what-s-new-in-windows-10.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 ## February 2016
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">New or changed topic</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left">[Lockdown features from Windows Embedded Industry 8.1](lockdown-features-from-windows-embedded-industry-8-1.md)</td>
 <td align="left"><p>Updated to include policy setting names for USB filter and Toast notification filter</p></td>
 </tr>
 </tbody>
 </table>
 ## January 2016
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">New or changed topic</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left">[Browser: Microsoft Edge and Internet Explorer 11](microsoft-edge-and-internet-explorer-11.md)</td>
 <td align="left"><p>Updated to include the &quot;Applies to&quot; section</p></td>
 </tr>
 </tbody>
 </table>
 ## December 2015
 | New or changed topic                                          | Description |
 |---------------------------------------------------------------|-------------|
 | [Security](security.md)                                      | New         |
 | [Windows Update for Business](windows-update-for-busines.md) | New         |
 ## November 2015
 | New or changed topic                                                                                             | Description |
 |------------------------------------------------------------------------------------------------------------------|-------------|
 | [AppLocker](applocker.md)                                                                                       | New         |
 | [BitLocker](bitlocker.md)                                                                                       | New         |
 | [Credential Guard](credential-guard.md)                                                                         | New         |
 | [Device Guard](device-guard-overview.md)                                                                        | New         |
 | [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-from-windows-embedded-industry-8-1.md) | New         |
 | [Security auditing](security-auditing.md)                                                                       | New         |
 | [Trusted Platform Module](trusted-platform-module.md)                                                           | New         |
 | [Windows spotlight on the lock screen](windows-spotlight.md)                                                    | New         |
 | [Windows Store for Business overview](business-store-for-windows-10.md)                                         | New         |
 ## Related topics
 [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
 [Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
 [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
 [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
--- a/windows/whats-new/credential-guard.md
+++ b/windows/whats-new/credential-guard.md
@ -0,0 +1,44 @@
 ---
 title: What's new in Credential Guard? (Windows 10)
 description: Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 59C206F7-2832-4555-97B4-3070D93CC3C5
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # What's new in Credential Guard?
 **Applies to**
 -   Windows 10
 Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ## New features in Windows 10, Version 1511
 -   **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations:
    -   Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials.
    -   Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials.
    -   You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
 -   **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
 -   **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled.
 [Learn how to deploy and manage Credential Guard within your organization](../keep-secure/credential-guard.md).
--- a/windows/whats-new/device-guard-overview.md
+++ b/windows/whats-new/device-guard-overview.md
@ -0,0 +1,164 @@
 ---
 title: Device Guard overview (Windows 10)
 description: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications.
 ms.assetid: FFE244EE-5804-4CE8-A2A9-48F49DC3AEF2
 keywords: ["Device Guard"]
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # Device Guard overview
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.
 Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
 For details on how to implement Device Guard, see [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
 ## Why use Device Guard
 With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise.
 Device Guard also helps protect against [zero day attacks](http://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](http://go.microsoft.com/fwlink/p/?LinkId=534210).
 ### Advantages to using Device Guard
 You can take advantage of the benefits of Device Guard, based on what you turn on and use:
 -   Helps provide strong malware protection with enterprise manageability
 -   Helps provide the most advanced malware protection ever offered on the Windows platform
 -   Offers improved tamper resistance
 ## How Device Guard works
 Device Guard restricts the Windows 10 Enterprise operating system to only running code that’s signed by trusted signers, as defined by your Code Integrity policy through specific hardware and security configurations, including:
 -   User Mode Code Integrity (UMCI)
 -   New kernel code integrity rules (including the new Windows Hardware Quality Labs (WHQL) signing constraints)
 -   Secure Boot with database (db/dbx) restrictions
 -   Virtualization-based security to help protect system memory and kernel mode apps and drivers from possible tampering.
 -   **Optional:** Trusted Platform Module (TPM) 1.2 or 2.0
 Device Guard works with your image-building process, so you can turn the virtualization-based security feature on for capable devices, configure your Code Integrity policy, and set any other operating system settings you require for Windows 10 Enterprise. After that, Device Guard works to help protect your devices:
 1.  Your device starts up using Universal Extensible Firmware Interface (UEFI) Secure Boot, so that boot kits can’t run and so that Windows 10 Enterprise starts before anything else.
 2.  After securely starting up the Windows boot components, Windows 10 Enterprise can start the Hyper-V virtualization-based security services, including Kernel Mode Code Integrity. These services help protect the system core (kernel), privileged drivers, and system defenses, like anti-malware solutions, by preventing malware from running early in the boot process, or in kernel after startup.
 3.  Device Guard uses UMCI to make sure that anything that runs in User mode, such as a service, a Universal Windows Platform (UWP) app, or a Classic Windows application is trusted, allowing only trusted binaries to run.
 4.  At the same time that Windows 10 Enterprise starts up, so too does the trusted platform module (TPM). TPM provides an isolated hardware component that helps protect sensitive information, such as user credentials and certificates.
 ## Required hardware and software
 The following table shows the hardware and software you need to install and configure to implement Device Guard.
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Requirement</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>Windows 10 Enterprise</p></td>
 <td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>UEFI firmware version 2.3.1 or higher and Secure Boot</p></td>
 <td align="left"><p>To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby) Windows Hardware Compatibility Program requirement.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Virtualization extensions</p></td>
 <td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
 <ul>
 <li>Intel VT-x or AMD-V</li>
 <li>Second Level Address Translation</li>
 </ul></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Firmware lock</p></td>
 <td align="left"><p>The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings. You should also disable boot methods other than from the hard drive.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>x64 architecture</p></td>
 <td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
 <td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Secure firmware update process</p></td>
 <td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system_fundamentals_firmware_uefisecureboot) Windows Hardware Compatibility Program requirement.</p></td>
 </tr>
 </tbody>
 </table>
 ## Before using Device Guard in your company
 Before you can successfully use Device Guard, you must set up your environment and your policies.
 ### Signing your apps
 Device Guard mode supports both UWP apps and Classic Windows applications. Trust between Device Guard and your apps happen when your apps are signed using a signature that you determine to be trustworthy. Not just any signature will work.
 This signing can happen by:
 -   **Using the Windows Store publishing process.** All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
 -   **Using your own digital certificate or public key infrastructure (PKI).** ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
 -   **Using a non-Microsoft signing authority.** ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications.
 -   **Using a Microsoft-provided web service (coming later this year).** ISV's and enterprises will be able to use a more secure, Microsoft-provided web service to sign their Classic Windows applications.
 ### Code Integrity policy
 Before you can use the app protection included in Device Guard, you must create a Code Integrity policy using tools provided by Microsoft, but deployed using your current management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. This policy restricts what code can run on a device.
 For the Device Guard feature, devices should only have Code Integrity pre-configured if the settings are provided by a customer for a customer-provided image.
 **Note**  This XML document can be signed in Windows 10 Enterprise, helping to add additional protection against administrative users changing or removing this policy.
 ### Virtualization-based security using Windows 10 Enterprise Hypervisor
 Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer.
 **Important**  Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers - legacy drivers can be updated - and have all virtualization capabilities turned on. This includes virtualization extensions and input/output memory management unit (IOMMU) support.
--- a/windows/whats-new/device-management.md
+++ b/windows/whats-new/device-management.md
@ -0,0 +1,123 @@
 ---
 title: Enterprise management for Windows 10 devices (Windows 10)
 description: Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
 ms.assetid: 36DA67A1-25F1-45AD-A36B-AEEAC30C9BC4
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # Enterprise management for Windows 10 devices
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
 ## MDM support
 MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more. To learn more about policies, see [Configuration service provider reference for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533046).
 MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](http://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
 Corporate-owned devices can be enrolled automatically for enterprises using Azure AD.
 ## Unenrollment
 When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.
 When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.
 ## Infrastructure
 Enterprises have the following identity and management choices.
 |                   |                                                                                                                                                                             |
 |-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Identity          | Active Directory; Azure AD                                                                                                                                                  |
 | Grouping          | Domain join; Workgroup; Azure AD join                                                                                                                                       |
 | Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
 **Note**  
 With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](http://go.microsoft.com/fwlink/p/?LinkID=613512).
 ## Device lockdown
 Do you need a computer that can only do one thing? For example:
 -   A device in the lobby that customers can use to view your product catalog.
 -   A portable device that drivers can use to check a route on a map.
 -   A device that a temporary worker uses to enter data.
 You can configure a persistent locked down state to create a kiosk-type device. When the locked-down account is logged on, the device displays only the app that you select.
 You can also configure a lockdown state that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
 Lockdown settings can also be configured for device look and feel, such as a theme or a custom layout on the Start screen.
 ## Updates
 With Windows 10, your enterprise will have more choice and flexibility in applying operating system updates. You can manage and control updates to devices running Windows 10 Pro and Windows 10 Enterprise using MDM policies.
 While Windows Update provides updates to unmanaged devices, most enterprises prefer to manage and control the flow of updates using their device management solution. You can choose to apply the latest updates as soon as they are available, or you can set a source and schedule for updates that works for your specific requirements.
 For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).
 ## Easier certificate management
 For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Microsoft Passport in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device.
 ## Learn more
 [Windows 10: Manageability Choices](http://go.microsoft.com/fwlink/p/?LinkId=533886)
 [Windows 10: Management](http://go.microsoft.com/fwlink/p/?LinkId=533887)
 [Windows 10 Technical Preview Fundamentals for IT Pros: Windows 10 Management and Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533888)
 [Reference for Mobile device management for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533172)
 Active Directory blog posts on Azure AD and Windows 10:
 -   [Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=619025)
 -   [Azure AD Join on Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkID=616791)
 -   [Azure AD on Windows 10 Personal Devices]( http://go.microsoft.com/fwlink/p/?LinkId=619028)
 -   [Azure Active Directory and Windows 10: Bringing the cloud to enterprise desktops!](http://go.microsoft.com/fwlink/p/?LinkID=615765)
 ## Related topics
 [Manage corporate devices](../manage/manage-corporate-devices.md)
 [Microsoft Passport](microsoft-passport.md)
 [Enterprise Data Protection Overview](enterprise-data-protection-overview.md)
--- a/windows/whats-new/enterprise-data-protection-overview.md
+++ b/windows/whats-new/enterprise-data-protection-overview.md
@ -0,0 +1,172 @@
 ---
 title: Enterprise data protection (EDP) overview (Windows 10)
 description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.
 ms.assetid: 428A3135-CB5E-478B-B1FF-B6EB76F0DF14
 keywords: ["EDP Overview", "EDP"]
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # Enterprise data protection (EDP) overview
 \[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.\]
 With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.
 Many of the existing solutions try to address this issue by requiring employees to switch between personal and work containers and apps, which can lead to a less than optimal user experience. The feature code-named enterprise data protection (EDP) offers a better user experience, while helping to better separate and protect enterprise apps and data against disclosure risks across both company and personal devices, without requiring changes in environments or apps. Additionally, EDP when used with Rights Management Services (RMS), can help to protect your enterprise data locally, persisting the protection even when your data roams or is shared.
 ### Benefits of EDP
 EDP provides:
 -   Additional protection against enterprise data leakage, with minimal impact on employees’ regular work practices.
 -   Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
 -   Additional data protection for existing line-of-business apps without a need to update the apps.
 -   Ability to wipe corporate data from devices while leaving personal data alone.
 -   Use of audit reports for tracking issues and remedial actions.
 -   Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later)’, or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company.
 -   Additional protection for your data (through RMS integration) while roaming and sharing, like when you share encrypted content through Outlook or move encrypted files to USB keys.
 -   Ability to manage Office universal apps on Windows 10 devices using an MDM solution to help protect corporate data. To manage Office mobile apps for Android and iOS devices, see technical resources [here]( http://go.microsoft.com/fwlink/p/?LinkId=526490).
 ### Prerequisites
 You’ll need this software to run EDP in your enterprise:
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Operating system</th>
 <th align="left">Management solution</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left">Windows 10</td>
 <td align="left"><ul>
 <li><p>Intune</p>
 <p><strong>-OR-</strong></p></li>
 <li><p>Configuration Manager (version 1511 or later)</p>
 <p><strong>-OR-</strong></p></li>
 <li><p>Your current company-wide MDM solution</p></li>
 </ul></td>
 </tr>
 </tbody>
 </table>
 ### Enterprise scenarios
 EDP currently addresses these enterprise scenarios:
 -   You can encrypt enterprise data on employee-owned and corporate-owned devices.
 -   You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
 -   You can select specific apps that can access enterprise data, called “privileged apps” that are clearly recognizable to employees. You can also block non-privileged apps from accessing enterprise data.
 -   Your employees won't have their work interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
 ## How EDP works
 EDP helps address your everyday challenges in the enterprise. Including helping you:
 -   Deal with unwanted employee experiences because of severe data protection policies.
 -   Maintain the privacy of your enterprise data.
 -   Manage apps that aren’t policy-aware, especially on mobile devices.
 -   Handle the inability to lock down employee-owned devices, potentially allowing the accidental release of enterprise data.
 ### Protection modes
 You can set EDP to 1 of 4 protection modes:
 -   **Block.** EDP looks for inappropriate data sharing and stops the employee from completing the action.
 -   **Override.** EDP looks for inappropriate data sharing, letting employees know whether they do something inappropriate. However, this protection mode lets the employee override the policy and share the data anyway, while logging the action to your audit log.
 -   **Audit.** EDP runs silently, logging inappropriate data sharing, without blocking anything.
 -   **Off.** EDP isn't active and doesn't protect your data.
 ### Great employee experiences
 EDP can offer a great user experience by not requiring employees to switch between apps to protect corporate data. For example, while checking work emails in Microsoft Outlook, an employee gets a personal message. Instead of having to leave Outlook, both the work and personal messages appear on the screen, side-by-side.
 ### Changing the EDP protection
 Employees can change enterprise data protected documents back to personal if the document is wrongly marked as enterprise. However, this requires the employee to take an action and is audited and logged for you to review
 ### Enterprise data security
 As an enterprise admin, you need to maintain the security and confidentiality of your corporate data. Using EDP you can help ensure that your corporate data is protected on your employee-owned computers, even when the employee isn’t actively using it. In this case, when the employee initially creates the content on a managed device he’s asked whether it’s a work document. If it's a work document, it becomes locally-protected as enterprise data.
 ### Remotely wiping devices of enterprise data
 EDP also offers the ability to remotely wipe your corporate data from all devices managed by you and used by an employee, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen computer.
 In this case, documents are stored locally, and encrypted with an enterprise identity. When you verify that you have to wipe the device, you can send a remote wipe command through your mobile device management system so when the device connects to the network, the encryption keys are revoked and the enterprise data is removed. This action only affects devices that have been targeted by the command. All other devices will continue to work normally.
 ### Copying or downloading enterprise data
 Downloading content from a location like SharePoint or a network file share, or an enterprise web location, such as Office365.com automatically determines that the content is enterprise data and is encrypted as such, while it’s stored locally. The same applies to copying enterprise data to something like a USB drive. Because the content is already marked as enterprise data locally, the encryption is persisted on the new device.
 ### Privileged apps and restrictions
 Using EDP you can control the set of apps that are made “privileged apps”, or apps that can access and use your enterprise data. After you add an app to your privileged app list, it’s trusted to use enterprise data. All apps not on this list are treated as personal and are potentially blocked from accessing your corporate data, depending on your EDP protection-mode.
 As a note, your existing line-of-business apps don’t have to change to be included as privileged apps. You simply have to include them in your list.
 ### Using privileged apps
 Privileged apps are allowed to access your enterprise data and will react differently with other non-privileged or personal apps. For example, if your EDP protection mode is set to block, your privileged apps will let the user copy and paste information between other privileged apps, but not with personal apps. Imagine an HR person wants to copy a job description from a privileged app to the career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that it couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website and it works without a problem.
 ### Deciding your level of data access
 EDP lets you decide to block, allow overrides, or audit your employee's data sharing actions. Blocking the action stops it immediately, while allowing overrides let the employee know there's a problem, but lets the employee continue to share the info, and audit just logs the action without stopping it, letting you start to see patterns of inappropriate sharing so you can take educative action.
 ### Persistent data encryption
 EDP helps keep your enterprise data protected, even when it roams. Apps like Office and OneNote work with EDP to persist your data encryption across locations and services. For example, if an employee opens EDP-encrypted content from Outlook, edits it, and then tries to save the edited version with a different name to remove the encryption, it won’t work. Outlook automatically applies EDP to the new document, keeping the data encryption in place.
 ### Helping prevent accidental data disclosure to public spaces
 EDP helps protect your enterprise data from being shared to public spaces, like the public cloud, accidentally. For example, if an employee stores content in the **Documents** folder, which is automatically synched with OneDrive (an app on your privileged list), then the document is encrypted locally and not synched it to the user’s personal cloud. Likewise, if other synching apps, like Dropbox™, aren’t on the privileged list, they also won’t be able to sync encrypted files to the user’s personal cloud.
 ### Helping prevent accidental data disclosure to other devices
 EDP helps protect your enterprise data from leaking to other devices while transferring or moving between them. For example, if an employee puts corporate data on a USB key that also includes personal data, the corporate data remains encrypted even though the personal information remains open. Additionally, the encryption continues when the employee copies the encrypted content back to another corporate-managed device.
 **Important**  EDP also supports per-file encryption on SD cards along with the device encryption policy. To access your encrypted data, you will need to set up RMS during your EDP policy set up.
 ### Turn off EDP
 You can turn off all enterprise data protection and restrictions, reverting to where you were pre-EDP, with no data loss. However, turning off EDP isn't recommended. If you choose to turn it off, you can always turn it back on, but EDP won't retain your decryption and policies info.
--- a/windows/whats-new/images/funfacts.png
+++ b/windows/whats-new/images/funfacts.png
--- a/windows/whats-new/images/lockscreen.png
+++ b/windows/whats-new/images/lockscreen.png
--- a/windows/whats-new/images/lockscreenpolicy.png
+++ b/windows/whats-new/images/lockscreenpolicy.png
--- a/windows/whats-new/images/spotlight.png
+++ b/windows/whats-new/images/spotlight.png
--- a/windows/whats-new/lockdown-features-from-windows-embedded-industry-8-1.md
+++ b/windows/whats-new/lockdown-features-from-windows-embedded-industry-8-1.md
@ -0,0 +1,124 @@
 ---
 title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10)
 description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
 ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14
 keywords: ["lockdown", "embedded"]
 ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: TrudyHa
 ---
 # Lockdown features from Windows Embedded 8.1 Industry
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
 <table>
 <colgroup>
 <col width="33%" />
 <col width="33%" />
 <col width="33%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Windows Embedded 8.1 Industry lockdown feature</th>
 <th align="left">Windows 10 feature</th>
 <th align="left">Changes</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>[Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device</p></td>
 <td align="left">N/A</td>
 <td align="left"><p>HORM is not supported in Windows 10. However, with enhancements to the Windows boot process and Unified Extensible Firmware Interface (UEFI) hardware, startup times can be dramatically reduced compared to previous versions.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media</p></td>
 <td align="left">[Unified Writer Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607)</td>
 <td align="left"><p>The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations</p></td>
 <td align="left">[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391)</td>
 <td align="left"><p>Keyboard filter is added in Windows 10, Version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via <strong>Turn Windows Features On/Off</strong>. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on</p></td>
 <td align="left">[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603)</td>
 <td align="left"><p>Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the <strong>SMISettings</strong> category.</p>
 <p>Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on</p></td>
 <td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
 <td align="left"><p>The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run</p></td>
 <td align="left">[AppLocker](../keep-secure/applocker-overview-server.md)</td>
 <td align="left"><p>Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.</p>
 <ul>
 <li><p>Control over which processes are able to run will now be provided by AppLocker.</p></li>
 <li><p>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.</p></li>
 </ul></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications</p></td>
 <td align="left">Mobile device management (MDM) and Group Policy</td>
 <td align="left"><p>Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.</p>
 <p>Group Policy: <strong>User Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>Start Menu and Taskbar</strong> &gt; <strong>Notifications</strong></p>
 <p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow action center notifications</strong> and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for <strong>AboveLock/AllowActionCenterNotifications</strong>.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features</p></td>
 <td align="left">[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483)</td>
 <td align="left"><p>The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system</p></td>
 <td align="left">MDM and Group Policy</td>
 <td align="left"><p>The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.</p>
 <p>Group Policy: <strong>Computer Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>System</strong> &gt; <strong>Device Installation</strong> &gt; <strong>Device Installation Restrictions</strong></p>
 <p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow removable storage</strong> or <strong>Allow USB connection (Windows 10 Mobile only)</strong>.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system</p></td>
 <td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
 <td align="left"><p>Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.</p>
 <p>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.</p>
 <p>Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen</p></td>
 <td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
 <td align="left"><p>The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown</p></td>
 <td align="left">[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760)</td>
 <td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements</p></td>
 <td align="left">[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873)</td>
 <td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
 </tr>
 </tbody>
 </table>
--- a/windows/whats-new/microsoft-edge-and-internet-explorer-11.md
+++ b/windows/whats-new/microsoft-edge-and-internet-explorer-11.md
@ -0,0 +1,80 @@
 ---
 title: Browser-- Microsoft Edge and Internet Explorer 11 (Windows 10)
 description: Resources to help you explore the Windows 10 browsing options for your enterprise.
 ms.assetid: E986F903-69AD-4145-9D24-0C6D04B3E489
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # Browser: Microsoft Edge and Internet Explorer 11
 **Microsoft Edge content applies to:**
 -   Windows 10
 -   Windows 10 Mobile
 **Internet Explorer 11 content applies to:**
 -   Windows 10
 Resources to help you explore the Windows 10 browsing options for your enterprise.
 ## Enterprise guidance
 Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
 We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
 ### Microsoft Edge
 Microsoft Edge is the new, default web browser for Windows 10 and Windows 10 Mobile, taking you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
 -   **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
 -   **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
 -   **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
 -   **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
 ### IE11
 IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
 -   **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
 -   **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
 -   **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
 -   **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
 -   **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
 -   **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
 ## Related topics
 [Web Application Compatibility Lab Kit for Internet Explorer 11](http://go.microsoft.com/fwlink/p/?LinkId=715642)
 [Download Internet Explorer 11](http://go.microsoft.com/fwlink/p/?linkid=290956)
 [Microsoft Edge - Deployment Guide for IT Pros](http://go.microsoft.com/fwlink/p/?LinkId=618271)
 [Internet Explorer 11 - Deployment Guide for IT Pros](http://go.microsoft.com/fwlink/p/?linkid=313986)
 [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](http://go.microsoft.com/fwlink/p/?LinkId=619690)
--- a/windows/whats-new/microsoft-passport.md
+++ b/windows/whats-new/microsoft-passport.md
@ -0,0 +1,56 @@
 ---
 title: Microsoft Passport overview (Windows 10)
 description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
 ms.assetid: 292F3BE9-3651-4B20-B83F-85560631EF5B
 keywords: ["password", "hello", "fingerprint", "iris", "biometric"]
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # Microsoft Passport overview
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
 Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports [Fast ID Online (FIDO)](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
 Microsoft Passport also enables Windows 10 Mobile devices to be used as a remote credential when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions
 ## Benefits of Microsoft Passport
 -   **User convenience**. The employee provides credentials (such as account and password, or other credentials), and is then guided to set up Microsoft Passport and Hello. From that point on, the employee can access enterprise resources by providing a gesture.
 -   **Security**. Microsoft Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Microsoft Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of Trusted Platform Modules (TPMs).
 [Learn how to implement and manage Microsoft Passport in your organization.](../keep-secure/implement-microsoft-passport-in-your-organization.md)
 ## Learn more
 [Why a PIN is better than a password](../keep-secure/why-a-pin-is-better-than-a-password.md)
 [Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](http://go.microsoft.com/fwlink/p/?LinkId=533890)
 [Windows 10: The End Game for Passwords and Credential Theft?](http://go.microsoft.com/fwlink/p/?LinkId=533891)
 ## Related topics
 [Device management](device-management.md)
--- a/windows/whats-new/provisioning-and-upgrade.md
+++ b/windows/whats-new/provisioning-and-upgrade.md
@ -0,0 +1,107 @@
 ---
 title: Provisioning packages (Windows 10)
 description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
 ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # Provisioning packages
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
 Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
 ## Benefits of provisioning packages
 Provisioning packages let you:
 -   Quickly configure a new device without going through the process of installing a new image.
 -   Save time by configuring multiple devices using one provisioning package.
 -   Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
 -   Set up a device without the device having network connectivity.
 Provisioning packages can be:
 -   Installed using removable media such as an SD card or USB flash drive.
 -   Attached to an email.
 -   Downloaded from a network share.
 ## What you can configure
 The following table provides some examples of what can be configured using provisioning packages.
 | Customization options    | Examples                                                                                      |
 |--------------------------|-----------------------------------------------------------------------------------------------|
 | Applications             | Windows apps, line-of-business applications                                                   |
 | Bulk enrollment into MDM | Automatic enrollment into Microsoft Intune or a third-party MDM service                       |
 | Certificates             | Root certification authority (CA), client certificates                                        |
 | Connectivity profiles    | Wi-Fi, proxy settings, Email                                                                  |
 | Enterprise policies      | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
 | Data assets              | Documents, music, videos, pictures                                                            |
 | Start menu customization | Start menu layout, application pinning                                                        |
 | Other                    | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on           |
 For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
 ## Creating a provisioning package
 With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must install the Windows Assessment and Deployment Kit (ADK) for Windows 10[from the Windows Insider Program site](http://go.microsoft.com/fwlink/p/?linkid=533700).
 While running ADKsetup.exe, select the following features from the **Select the features you want to install** dialog box:
 -   Deployment Tools
 -   Windows Preinstallation Environment (Windows PE)
 -   Windows Imaging and Configuration Designer (ICD)
 -   Windows User State Migration Tool (USMT)
 Windows ICD depends on other tools in order to work correctly. If you only select Windows ICD in the installation wizard, the other tools listed above will also be selected for installation.
 Once you have installed Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
 ## Applying a provisioning package to a device
 Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
 ## Learn more
 [Windows 10: Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533708)
 ## Related topics
 [Update Windows 10 images with provisioning packages](../deploy/update-windows-10-images-with-provisioning-packages.md)
 [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
--- a/windows/whats-new/security-auditing.md
+++ b/windows/whats-new/security-auditing.md
@ -0,0 +1,178 @@
 ---
 title: What's new in security auditing? (Windows 10)
 description: Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system.
 ms.assetid: CB35A02E-5C66-449D-8C90-7B73C636F67B
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # What's new in security auditing?
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.
 ## New features in Windows 10, Version 1511
 -   The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.
 ## New features in Windows 10
 In Windows 10, security auditing has added some improvements:
 -   [New audit subcategories](#BKMK_AuditSubCat)
 -   [More info added to existing audit events](#BKMK_MoreInfo)
 ### New audit subcategories
 In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
 -   [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
    When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
 -   [Audit PNP Activity](../keep-secure/audit-pnp-activity.md) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
    Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
    A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
 ### More info added to existing audit events
 With Windows 10, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
 -   [Changed the kernel default audit policy](#BKMK_KDAL)
 -   [Added a default process SACL to LSASS.exe](#BKMK_LSASS)
 -   [Added new fields in the logon event](#BKMK_LOGON)
 -   [Added new fields in the process creation event](#BKMK_LOGON)
 -   [Added new Security Account Manager events](#BKMK_SAM)
 -   [Added new BCD events](#BKMK_BCD)
 -   [Added new PNP events](#BKMK_PNP)
 ### Changed the kernel default audit policy
 In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
 ### Added a default process SACL to LSASS.exe
 In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
 This can help identify attacks that steal credentials from the memory of a process.
 ### New fields in the logon event
 The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
 1.  **MachineLogon** String: yes or no
    If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
 2.  **ElevatedToken** String: yes or no
    If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown.
 3.  **TargetOutboundUserName** String
    **TargetOutboundUserDomain** String
    The username and domain of the identity that was created by the LogonUser method for outbound traffic.
 4.  **VirtualAccount** String: yes or no
    If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no.
 5.  **GroupMembership** String
    A list of all of the groups in the user's token.
 6.  **RestrictedAdminMode** String: yes or no
    If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
    For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx).
 ### New fields in the process creation event
 The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
 1.  **TargetUserSid** String
    The SID of the target principal.
 2.  **TargetUserName** String
    The account name of the target user.
 3.  **TargetDomainName** String
    The domain of the target user..
 4.  **TargetLogonId** String
    The logon ID of the target user.
 5.  **ParentProcessName** String
    The name of the creator process.
 6.  **ParentProcessId** String
    A pointer to the actual parent process if it's different from the creator process.
 ### New Security Account Manager events
 In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
 -   SamrEnumerateGroupsInDomain
 -   SamrEnumerateUsersInDomain
 -   SamrEnumerateAliasesInDomain
 -   SamrGetAliasMembership
 -   SamrLookupNamesInDomain
 -   SamrLookupIdsInDomain
 -   SamrQueryInformationUser
 -   SamrQueryInformationGroup
 -   SamrQueryInformationUserAlias
 -   SamrGetMembersInGroup
 -   SamrGetMembersInAlias
 -   SamrGetUserDomainPasswordInformation
 ### New BCD events
 Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
 -   DEP/NEX settings
 -   Test signing
 -   PCAT SB simulation
 -   Debug
 -   Boot debug
 -   Integrity Services
 -   Disable Winload debugging menu
 ### New PNP events
 Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
 [Learn how to manage your security audit policies within your organization](../keep-secure/security-auditing-overview-glbl.md).
--- a/windows/whats-new/security.md
+++ b/windows/whats-new/security.md
@ -0,0 +1,265 @@
 ---
 title: What's new in Windows 10 security (Windows 10)
 description: There are several key client security improvements Microsoft has made in Windows 10.
 ms.assetid: 6B8A5F7A-ABD3-416C-87B0-85F68B214C81
 keywords: ["secure", "data loss prevention", "multifactor authentication"]
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # What's new in Windows 10 security
 **In this article**
 -   [Threat resistance](#threat_resistance)
 -   [Information protection](#information_protection)
 -   [Identity protection and access control](#identity_protection_and_access_control)
 -   [Windows 10 hardware considerations](#hardware)
 -   [Related topics](#related_topics)
 There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources.
 Microsoft designed the Windows 10 operating system to be the most secure version of the Windows operating system to date. To achieve this goal, Windows 10 employs advanced and now widely available hardware features to help protect users and devices against modern cyber threats. With thousands of new malware variants discovered daily and malicious hacking techniques evolving rapidly, never before has Windows client security been more important. In Windows 10, organizations can deploy new threat-resistant security features that harden the operating system in ways that can benefit Bring Your Own Device (BYOD) and corporate-owned device scenarios, as well as devices for special use cases, such as kiosks, ATMs, and point-of-sale (PoS) systems. These new threat-resistant features are modular—that is, they’re designed to be deployed together, although you can also implement them individually. With all these new features enabled together, organizations can protect themselves immediately against a majority of today’s most sophisticated threats and malware.
 In addition to new, impactful threat mitigations, Windows 10 includes several improvements in built-in information protection, including a new data loss-prevention (DLP) component. These improvements allow organizations to separate business and personal data easily, define which apps have access to business data, and determine how data can be shared (for example, copy and paste). Unlike other DLP solutions, Microsoft integrated this functionality deeply into the Windows platform, offering the same type of security capabilities that container-based solutions offer but without altering such user experiences as requiring mode changes or switching applications.
 Finally, new identity-protection and access control features make it easier to implement two-factor authentication (2FA) across the entire enterprise, which empowers organizations to transition away from passwords. Windows 10 introduces Microsoft Passport, a new 2FA user credential built directly into the operating system that users can access with either a PIN or a new biometrics-driven capability called Windows Hello. Together, these technologies provide a simple logon experience for users, with the robust security of multifactor authentication (MFA). Unlike third-party multifactor solutions, Microsoft Passport is designed specifically to integrate with Microsoft Azure Active Directory (Azure AD) and hybrid Active Directory environments and requires minimal administrative configuration and maintenance.
 ## Threat resistance
 Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks and the personal enjoyment of temporarily taking a system offline. Since then, attacker’s motives have shifted toward monetizing their attacks, which includes holding machines and data hostage until the owners pay the demanded ransom and exploiting the valuable information the attackers discover for monetary gain. Unlike these examples, modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that results in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets, seemingly unlimited human resources, and unknown motives. Threats like these require a different approach and mitigations that can meet the challenge.
 Windows 10 introduces several new security features that help mitigate modern threats and protect organizations against cyber attackers, regardless of their motive. Microsoft has made significant investments in Windows 10 to make it the most malware-resistant Windows operating system to date. Rather than simply adding defenses to the operating system, as was the case in previous Windows releases, Microsoft introduces architectural changes in Windows 10 that address entire classes of threats. By fundamentally changing the way the operating system works, Microsoft seeks to make Windows 10 much more difficult for modern attackers to exploit. New features in Windows 10 include Device Guard, configurable code integrity, virtualization-based security (VBS), and improvements to Windows Defender, to name just a few. By enabling all these new features together, organizations can immediately protect themselves against the types of malware responsible for approximately 95 percent of modern attacks.
 ### Virtualization-based security
 In the server world, virtualization technologies like Microsoft Hyper-V have proven extremely effective in isolating and protecting virtual machines (VMs) in the data center. Now, with those virtualization capabilities becoming more pervasive in modern client devices, there is an incredible opportunity for new Windows client security scenarios. Windows 10 can use virtualization technology to isolate core operating system services in a segregated, virtualized environment, similar to a VM. This additional level of protection, called virtualization-based security, ensures that no one can manipulate those services, even if the kernel mode of the host operating system is compromised.
 Just like with client Hyper-V, Windows itself can now take advantage of processors equipped with second-level address translation (SLAT) technology and virtualization extensions, such as Intel Virtualization Technology (VT) x and AMD V, to create a secure execution environment for sensitive Windows functions and data. This VBS environment protects the following services:
 -   **Hypervisor Code Integrity (HVCI).** The HVCI service in Windows 10 determines whether code executing in kernel mode is securely designed and trustworthy. It offers Zero Day and vulnerability exploit protection capabilities by ensuring that all software running in kernel mode, including drivers, securely allocate memory and operate as they are intended. In Windows 10, kernel mode code integrity is configurable, which allows organizations to scope preboot code execution to their desired configuration. For more information about configurable code integrity in Windows 10, see the [Configurable code integrity](#config_code) section.
 -   **Local Security Authority (LSA).** The LSA service in Windows manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms. In Windows 10, the Credential Guard feature isolates a portion of this service and helps mitigate the pass-the-hash and pass-the-ticket techniques by protecting domain credentials. In addition to logon credentials, this protection is extended to credentials stored within Credential Manager. For more information about Credential Guard, see the [Credential Guard](#credential_guard) section.
 **Note**  
 To determine whether virtualization is supported for a client machine model, simply run **systeminfo** from a command prompt window.
 VBS provides the core framework for some of the most impactful mitigations Windows 10 offers. Having client machines within your organization that can employ this functionality is crucial to modern threat resistance. For more information about the specific hardware features that each Windows 10 feature requires, including VBS, see the [Windows 10 hardware considerations](#hardware) section.
 ### Device Guard
 Microsoft Device Guard is a feature set that combines system integrity–hardening features that revolutionize Windows security by taking advantage of new VBS options to protect the system core and a trust-nothing model often seen in mobile operating systems. This feature set takes advantage of the best preexisting Windows hardening features (for example, Unified Extensible Firmware Interface \[UEFI\] Secure Boot, Windows Trusted Boot), and then combines them with powerful new app control features like the VBS-powered HVCI service and configurable code integrity, which together help prevent vulnerability exploits and unauthorized apps from running on the device in both user and kernel modes. For more information about VBS in Windows 10 and the additional features that use it, see the [Virtualization-based security](#virtualization_security) section. For more information about configurable code integrity, see the [Configurable code integrity](#config_code) section.
 Although Microsoft intends the Device Guard feature set to run alongside new Windows security features such as Credential Guard, it can run independently. Depending on your organization’s client resources, you can selectively choose which features make sense for your environment and device compatibility. For information about the hardware requirements for Device Guard and other Windows 10 security features, see the [Windows 10 hardware considerations](#hardware) section. For more information about Credential Guard, see the [Credential Guard](#credential_guard) section.
 For most organizations, implementing specific Device Guard functionality will depend on the role of the device and its primary user, employing more features on single-workload devices, such as kiosks, and fewer features on administrative machines over which users are allowed full control. By using this model, IT organizations can categorize users into groups that align with Device Guard security policies relating to device security and code integrity restrictions. For more information about configurable code integrity, see the [Configurable code integrity](#config_code) section.
 New desktops and laptops will be available to expedite your Device Guard implementation efforts. Device Guard-ready devices will require the least amount of physical interaction with the actual device before it’s ready for use. Going forward, all devices will fall into one of the following three categories:
 -   **Device Guard capable**. These devices will meet all the hardware requirements for Device Guard. You will still need to properly prepare devices with components that require enablement or configuration for Device Guard deployment. Device drivers on the device must be compatible with HVCI and may require updates from the original equipment manufacturer (OEM).
 -   **Device Guard ready**. Device Guard-ready devices will come directly from the OEM with all necessary hardware components and drivers to run Device Guard. In addition, all of these components will be pre-configured and enabled, which minimizes the effort needed to deploy Device Guard. No interaction with the BIOS is necessary to deploy these devices, and you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to manage them.
 -   **Not supported for Device Guard**. Many current devices cannot take advantage of all Device Guard features because they don’t have the required hardware components or HVCI-compatible drivers. However, most of these devices can enable some Device Guard features, such as configurable code integrity.
 For more information about how to prepare for, manage, and deploy Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
 ### Configurable code integrity
 *Code integrity* is the Windows component that verifies that the code Windows is running is trusted and safe. Like the operating modes found in Windows itself, Windows code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). Microsoft has used KMCI in recent versions of Windows to prevent the Windows kernel from executing unsigned drivers. Although this approach is effective, drivers aren’t the only route malware can take to penetrate the operating system’s kernel mode space. So, for Windows 10, Microsoft has raised the standard for kernel mode code out of the box by requiring the use of security best practices regarding memory management and has provided enterprises with a way to set their own UMCI and KMCI standards.
 Historically, UMCI has been available only for Windows RT and Windows Phone devices, which made it difficult for attackers to infect such devices with viruses and malware. This reduced infection rate results from the way the operating system determines which code to execute. Natively, binaries follow a process to prove to the operating system that they are trustworthy before the operating system allows them to execute. This process is intended to restrict the execution of arbitrary code and thereby decrease the risk of malware infection. This successful trust-nothing operating system model is now available in Windows 10 through a feature called *configurable code integrity*.
 Configurable code integrity allows IT organizations to create and deploy code integrity policies that stipulate exactly which binaries can run in their environment. Administrators can manage this trust at a certification authority or publisher level down to the individual hash values for each executed binary. This level of customization allows organizations to create policies that are as restrictive as they desire. In addition, organizations can choose to provide different levels of restriction for certain types of machines. For example, fixed-workload devices such as kiosks and PoS systems would likely receive a strict policy, because their purpose is to provide the same service day after day. Administrators can manage devices that have more variable workloads, such as users’ PCs, at a higher level, providing certain software publishers’ applications for installation or aligning those devices with the organization’s software catalog.
 **Note**  
 Configurable code integrity is not intended to replace technologies that allow or block programs such as AppLocker or an organization’s antivirus software. Rather, it complements such technologies by establishing a baseline of security, and then using those additional technologies to fine-tune client security.
 Configurable code integrity is not limited to Windows Store applications. In fact, it is not even limited to existing signed applications. Windows 10 gives you a way to sign line-of-business or third-party applications without having to repackage them: you can monitor the application’s installation and initial execution to create a list of binaries called a catalog file. When created, you sign these catalog files and add the signing certificate to the code integrity policy so that those binaries contained within the catalog files are allowed to execute. Then, you can use Group Policy, Configuration Manager, or any other familiar management tool to distribute these catalog files to your client machines. Historically, most malware has been unsigned; simply by deploying code integrity policies, your organization can immediately protect itself against unsigned malware, which is responsible for most modern attacks.
 **Note**  
 For detailed deployment and planning information about configurable code integrity, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
 The process to create, test, and deploy a code integrity policy is as follows:
 1.  **Create a code integrity policy.** Use the Windows PowerShell cmdlet **New-CIPolicy**, available in Windows 10, to create a new code integrity policy. This cmdlet scans a PC for all listings of a specific policy level. For example, if you set the rule level to **Hash**, the cmdlet would add hash values for all discovered binaries to the policy that resulted from the scan. When you enforce and deploy the policy, this list of hash values determines exactly which binaries are allowed to run on the machines that receive the policy. Code integrity policies can contain both a kernel mode and user mode execution policy, restricting what can run in either or both modes. Finally, when created, this policy is converted to binary format so that the managed client can consume it when the policy is copied to the client’s code integrity folder.
 2.  **Audit the code integrity policy for exceptions.** When you first create a code integrity policy, audit mode is enabled by default so that you can simulate the effect of a code integrity policy without actually blocking the execution of any binaries. Instead, policy exceptions are logged in the CodeIntegrity event log so that you can add the exceptions to the policy later. Be sure to audit any policy to discover potential issues before you deploy it.
 3.  **Merge the audit results with the existing policy.** After you have audited a policy, you can use the audit events to create an additional code integrity policy. Because each machine processes just one code integrity policy, you must merge the file rules within this new code integrity policy with the original policy. To do so, run the **Merge-CIPolicy** cmdlet, which is available in Windows 10 Enterprise.
 4.  **Enforce and sign the policy.** After you create, audit, and merge the resulting code integrity policies, it’s time to enforce your policy. To do so, run the **Set-RuleOption** cmdlet to remove the **Unsigned Policy** rule. When enforced, no binaries that are exceptions to the policy will be allowed to run. In addition to enforcing a policy, signed policies offer an additional level of protection. Signed code integrity policies inherently protect themselves against manipulation and deletion, even by administrators.
 5.  **Deploy the code integrity policy.** When you have enforced and optionally signed your code integrity policy, it’s ready for deployment. To deploy your code integrity policies, you can use Microsoft client management technologies, mobile device management solutions, or Group Policy, or you can simply copy the file to the correct location on your client computers. For Group Policy deployment, a new administrative template is available in Windows 10 and the Windows Server 2016 operating system to simplify the deployment process.
 **Note**  
 Configurable code integrity is available in Windows 10 Enterprise and Windows 10 Education.
 You can enable configurable code integrity as part of a Device Guard deployment or as a stand-alone component. In addition, you can run configurable code integrity on hardware that is compatible with the Windows 7 operating system, even if such hardware is not Device Guard ready. Code integrity policies can align with an existing application catalog, existing corporate imaging strategy, or with any other method that provides the organization’s desired levels of restriction. For more information about configurable code integrity with Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
 ### Measured Boot and remote attestation
 Although software-based antimalware and antivirus solutions are effective, they have no way to detect pre–operating system resource modification or infection such as by bootkits and rootkits—malicious software that can manipulate a client before the operating system and antimalware solutions load. Bootkits and rootkits and similar software are nearly impossible to detect using software-based solutions alone, so Windows 10 uses the client’s Trusted Platform Module (TPM) and the Windows Measured Boot feature to analyze the overall boot integrity. When requested, Windows 10 reports integrity information to the Windows cloud-based device health attestation service, which can then be used in coordination with management solutions such as Intune to analyze the data and provide conditional access to resources based on the device’s health state.
 Measured Boot uses one of TPM’s key functionalities and provides unique benefits to secure organizations. The feature can accurately and securely report the state of a machine’s trusted computing base (TCB). By measuring a system’s TCB, which consists of crucial startup-related security components such as firmware, the Operating System Loader, and drivers and software, the TPM can store the current device state in platform configuration registers (PCRs). When this measurement process is complete, the TPM cryptographically signs this PCR data so that Measured Boot information can be sent to either the Windows cloud-based device health attestation service or a non-Microsoft equivalent for signing or review. For example, if a company only wants to validate a computer’s BIOS information before allowing network access, PCR\[0\], which is the PCR that contains BIOS information, would be added to the policy for the attestation server to validate. This way, when the attestation server receives the manifest from the TPM, the server knows which values that PCR should contain.
 Measured Boot by itself does not prevent malware from loading during the startup process, but it does provide a TPM-protected audit log that allows a trusted remote attestation server to evaluate the PC’s startup components and determine its trustworthiness. If the remote attestation server indicates that the PC loaded an untrusted component and is therefore out of compliance, a management system can use the information for conditional access scenarios to block the PC’s access to network resources or perform other quarantine actions.
 ###  Improvements in Windows Defender
 For Windows 10, Microsoft has revamped Windows Defender and combined it with Microsoft System Center Endpoint Protection. Unlike with Microsoft System Center 2012 R2, there will be no System Center Endpoint Protection client to deploy to Windows 10 machines because Windows Defender is built into the operating system and enabled by default.
 In addition to simplified deployment, Windows Defender contains several improvements. The most important improvements to Windows Defender are:
 -   **Early Launch Antimalware (ELAM) compatible.** After Secure Boot has verified that the loading operating system is trusted, ELAM can start a registered and signed antimalware application before any other operating system components. Windows Defender is compatible with ELAM.
 -   **Local context for detections and centralized sensory data.** Unlike most antimalware software and previous versions of Windows Defender, Windows Defender in Windows 10 reports additional information about the context of discovered threats. This information includes the source of the content that contains the threat as well as the historical movement of the malware throughout the system. When collection is complete, Windows Defender reports this information (when users elect to enable cloud-based protection) and uses it to mitigate threats more quickly.
 -   **User Account Control (UAC) integration.** Windows Defender is now closely integrated with the UAC mechanism in Windows 10. Whenever a UAC request is made, Windows Defender automatically scans the threat before prompting the user, which helps prevent users from providing elevated privileges to malware.
 -   **Simplified management.** In Windows 10, you can manage Windows Defender much more easily than ever before. Manage settings through Group Policy, Intune, or Configuration Manager.
 ## Information protection
 Protecting the integrity of company data as well as preventing the inappropriate disclosure and sharing of that data are a top priority for IT organizations. Trends like BYOD and mobility make the task of information protection more challenging than ever before. Windows 10 includes several improvements to built-in information protection, including a new Enterprise Data Protection (EDP) feature that offers DLP capability. This feature allows an organizations’ users to classify data themselves and gives you the ability to automatically classify data as it ingresses from business resources. It can also help prevent users from copying business content to unauthorized locations such as personal documents or websites.
 Unlike some current DLP solutions, EDP does not require users to switch modes or apps or work within containers to protect data, and the protection happens behind the scenes without altering the user experience that your users have grown accustomed to in Windows. For more information about EDP in Windows 10, see the [Enterprise Data Protection](#enterprise) section.
 In addition to EDP, Microsoft has made substantial improvements to BitLocker, including simplified manageability through Microsoft BitLocker Administration and Monitoring (MBAM), used-space-only encryption, and single sign-on (SSO) capability. For more information about BitLocker improvements in Windows 10, see the [Improvements to BitLocker](#bitlocker) section.
 ### Enterprise Data Protection
 DLP systems are intended to protect sensitive corporate data through encryption and managed use while the data is in use, in motion, or at rest. Traditional DLP software is typically invasive and frustrating for users and can be complicated for administrators to configure and deploy. Windows 10 now includes an EDP feature that offers DLP capabilities and is built in and simple to use. This solution gives you the flexibility to define policies that will help determine what kind of data to protect as business data and what should be considered personal. Based on these policies, you can also choose what to do, either automatically or manually, whenever you suspect that data is about to be or has been compromised. For example, if an employee has a personal but managed device that contains business data, an IT organization could block that user from copying and pasting business data to nonbusiness documents and locations or could even selectively wipe the business data from the device at any time without affecting the personal data on the device.
 You can configure EDP policies to encrypt and protect files automatically based on the network source from which the content was acquired, such as an email server, file share, or a Microsoft SharePoint site. The policies can work with on-premises resources as well as those that originate from the Internet. When specified, any data retrieved from internal network resources will always be protected as business data; even if that data is copied to portable storage, such as a flash drive or CD, the protection remains. In an effort to allow easy corrections of misclassified data, users who feel that EDP has incorrectly protected their personal data can modify the data’s classification. When such a modification occurs, you have access to audit data on the client machine. You can also use a policy to prevent users from reclassifying data. The EDP feature in Windows 10 also includes policy controls that allow you to define which apps have access to business data and even which have access to the corporate virtual private network (VPN).
 To manage EDP, you use the same system management tools you probably already use to manage your Windows client computers, such as Configuration Manager and Intune. For more information about EDP, see [Enterprise data protection (EDP) overview](enterprise-data-protection-overview.md).
 ### Improvements in BitLocker
 With so many laptops stolen annually, protecting data at rest should be a top priority for any IT organization. Microsoft has provided an encryption solution called BitLocker directly in Windows since 2004. If your last encounter with BitLocker was in Windows 7, you’ll find that the manageability and SSO capabilities that were previously lacking are now included in Windows 10. These and other improvements make BitLocker one of the best choices on the marketplace for protecting data on Windows devices. Windows 10 builds on the BitLocker improvements made in the Windows 8.1 and Windows 8 operating systems to make BitLocker more manageable and to simplify its deployment even further.
 Microsoft has made the following key improvements to BitLocker:
 -   **Automatic drive encryption through Device Encryption.** By default, BitLocker is automatically enabled on clean installations of Windows 10 if the device has passed the Device Encryption Requirements test from the Windows Hardware Certification Kit. Many Windows 10–compatible PCs will meet this requirement. This version of BitLocker is called Device Encryption. Whenever devices on which Drive Encryption is enabled join your domain, the encryption keys can be escrowed in either Active Directory or MBAM.
 -   **MBAM improvements.** MBAM provides a simplified management console for BitLocker administration. It also simplifies recovery requests by providing a self-service portal in which users can recover their drives without calling the help desk.
 -   **SSO.** BitLocker for Windows 7 often required the use of a pre-boot PIN to access the protected drive’s encryption key and allow Windows to start. In Windows 10, user input-based preboot authentication (in other words, a PIN) is not required because the TPM maintains the keys. In addition, modern hardware often mitigates the cold boot attacks (for example, port-based direct memory access attacks) that have previously necessitated PIN protection. For more information to determine which cases and device types require the use of PIN protection, refer to [BitLocker Countermeasures](1f015738-3bf6-4abb-a1cd-21c04e9ef24f).
 -   **Used-space-only encryption.** Rather than encrypting an entire hard drive, you can configure BitLocker to encrypt only the used space on a drive. This option drastically reduces the overall encryption time required.
 ## Identity protection and access control
 User credentials are vital to the overall security of an organization’s domain. Until Windows 10, user name-password combinations were the primary way for a person to prove his or her identity to a machine or system. Unfortunately, passwords are easily stolen, and attackers can use them remotely to spoof a user’s identity. Some organizations deploy public key infrastructure (PKI)-based solutions, like smart cards, to address the weaknesses of passwords. Because of the complexity and costs associated with these solutions, however, they’re rarely deployed and, even when they are used, frequently used only to protect top-priority assets such as the corporate VPN. Windows 10 introduces new identity-protection and access control features that address the weaknesses of today’s solutions and can effectively remove the need for user passwords in an organization.
 Windows 10 also includes a feature called Microsoft Passport, a new 2FA mechanism built directly into the operating system. The two factors of authentication include a combination of something you know (for example, a PIN), something you have (for example, your PC, your phone), or something about the user (for example, biometrics). With Microsoft Passport enabled, when you log on to a computer, Microsoft Passport is responsible for brokering user authentication around the network, providing the same SSO experience with which you’re familiar. For more information about Microsoft Passport, see the [Microsoft Passport](#passport) section.
 The biometrics factor available for Microsoft Passport is driven by another new feature in Windows 10 called Windows Hello. Windows Hello uses a variety of biometric sensors to accept different points of biometric measurement, such as the face, iris, and fingerprints, which allows organizations to choose from various options when they consider what makes the most sense for their users and devices. By combining Windows Hello with Microsoft Passport, users no longer need to remember a password to access corporate resources. For more information about Windows Hello, see the [Windows Hello](#hello) section.
 Finally, Windows 10 uses VBS to isolate the Windows service responsible for maintaining and brokering a user’s derived credentials (for example, Kerberos ticket, NTLM hash) through a feature called Credential Guard. In addition to service isolation, the TPM protects credential data while the machine is running and while it’s off. Credential Guard provides a comprehensive strategy to protect user-derived credentials at runtime as well as at rest, thus preventing them from being accessed and used in pass-the-hash–type attacks. For more information about Credential Guard, see the [Credential Guard](#credential_guard) section.
 ### Microsoft Passport
 Historically, companies have mitigated the risk of credential theft by implementing 2FA. In this method, a combination of something you know (for example, a PIN), something you have (traditionally a smart card or token), or possibly something about the user (for example, biometrics) strengthens the logon process. The additional factor beyond something you know requires that a credential thief acquire a physical device or, in the case of biometrics, the actual user.
 Microsoft Passport introduces a strong 2FA mechanism integrated directly into Windows. Many organizations use 2FA today but don’t integrate its functionality into their organization because of the expense and time required to do so. Therefore, most organizations use MFA only to secure VPN connections and the highest-value resources on their network, and then use traditional passwords for logon to devices and to navigate the rest of the network. Microsoft Passport is unlike these other forms of 2FA in that Microsoft designed it specifically to address the complexity, cost, and user experience challenges of traditional 2FA solutions, making it simple to deploy throughout the enterprise through existing infrastructure and devices.
 Microsoft Passport can use the biometric information from Windows Hello or a unique PIN with cryptographic signing keys stored in the device’s TPM. For organizations that don’t have an existing PKI, the TPM—or Windows, when no TPM is present—can generate and protect these keys. If your organization has an on-premises PKI or wants to deploy one, you can use certificates from the PKI to generate the keys, and then store them in the TPM. When the user has registered the device and uses Windows Hello or a PIN to log in to the device, the Microsoft Passports private key fulfills any subsequent authentication requests. Microsoft Passport combines the deployment flexibility of virtual smart cards with the robust security of physical smart cards without requiring the extra infrastructure components needed for traditional smart card deployments and hardware such as cards and readers.
 In Windows 10, the physical factor of authentication is the user’s device—either his or her PC or mobile phone. By using the new phone sign-in capability which will available to Windows Insiders as a preview in early 2016, users can unlock their PC without ever touching it. Users simply enroll their phone with Microsoft Passport by pairing it with the PC via Wi-Fi or Bluetooth and install a simple-to-use application on their phone that allows them to select which PC to unlock. When selected, users can enter a PIN or their biometric login from their phone to unlock their PC.
 ### Windows Hello
 Passwords represent a losing identity and access control mechanism. When an organization relies on password-driven Windows authentication, attackers only have to determine a single string of text to access anything on a corporate network that those credentials protect. Unfortunately, attackers can use several methods to retrieve a user’s password, making credential theft relatively easy for determined attackers. By moving to an MFA mechanism to verify user identities, organizations can remove the threats that single-factor options like passwords represent.
 Windows Hello is the enterprise-grade biometric integration feature in Windows 10. This feature allows users to use their face, iris, or fingerprint rather than a password to authenticate. Although biometric logon capabilities have been around since the Windows XPoperating system, they have never been as easy, seamless, and secure as they are in Windows 10. In previous uses of biometrics in Windows, the operating system used the biometric information only to unlock the device; then, behind the scenes the user’s traditional password was used to access resources on the organization’s network. Also, the IT organization had to run additional software to configure the biometric devices to log in to Windows or applications. Windows Hello is integrated directly into the operating system and so doesn’t require additional software to function. However, as with any other biometrics-based login, Windows Hello requires specific hardware to function:
 -   **Facial recognition.** To establish facial recognition, Windows Hello uses special infrared (IR) cameras and anti-spoofing technology to reliably tell the difference between a photograph and a living person. This requirement ensures that no one can take a person’s PC and spoof his or her identity simply by obtaining a high-definition picture. Many manufacturers already offer PC models that include such cameras and are therefore compatible with Windows Hello. For those machines that don’t currently include these special cameras, several external cameras are available.
 -   **Fingerprint recognition.** Fingerprint sensors already exist in a large percentage of consumer and business PCs. Most of them (whether external or integrated into laptops or USB keyboards) work with Windows Hello. The detection and anti-spoofing technology available in Windows 10 is much more advanced than in previous versions of Windows, making it more difficult for attackers to deceive the operating system.
 -   **Iris recognition.** Like facial recognition, iris-based recognition uses special IR cameras and anti-spoofing technology to reliably tell the difference between the user’s iris and an impostor. Iris recognition will be available in mobile devices by the end of 2016 but is also available for independent hardware vendors and OEMs to incorporate into PCs.
 With Windows Hello in conjunction with Microsoft Passport, users have the same SSO experience they would if they logged on with domain credentials: they simply use biometrics, instead. In addition, because no passwords are involved, users won’t be calling the help desk saying that they have forgotten their password. For an attacker to spoof a user’s identity, he or she would have to have physical possession of both the user and the device on which the user is set up for Windows Hello. From a privacy perspective, organizations can rest assured that the biometric data Windows Hello uses is not centrally stored; can’t be converted to images of the user’s fingerprint, face, or iris; and is designed never to leave the device. In the end, Windows Hello and Microsoft Passport can completely remove the necessity for passwords for Azure AD and hybrid Azure AD/Active Directory environments and the apps and web services that depend on them for identity services. For more information about Microsoft Passport, see the [Microsoft Passport](#passport) section.
 ### Credential Guard
 Pass the hash is the most commonly used derived credential attack today. This attack begins with an attacker extracting a user account’s derived credentials (hash value) from memory. Then, by using a product such as Mimikatz, the attacker reuses (passes) those credentials to other machines and resources on the network to gain additional access. Microsoft designed Credential Guard specifically to eliminate derived credential theft and abuse in pass-the-hash–type attacks.
 Credential Guard is another new feature in Windows 10 Enterprise that employs VBS to protect domain credentials against theft, even when the host operating system is compromised. To achieve such protection, Credential Guard isolates a portion of the LSA service, which is responsible for managing authentication, inside a virtualized container. This container is similar to a VM running on a hypervisor but is extremely lightweight and contains only those files and components required to operate the LSA and other isolated services. By isolating a portion of the LSA service within this virtualized environment, credentials are protected even if the system kernel is compromised, removing the attack vector for pass the hash.
 For more information about the hardware requirements for Credential Guard, see the [Windows 10 hardware considerations](#hardware) section. For more information about VBS in Windows 10, see the [Virtualization-based security](#virtualization_security) section.
 **Note**  
 Because it requires isolated user mode and a Hyper-V hypervisor, you cannot configure Credential Guard on a VM, only on a physical computer.
 The Credential Guard feature is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing a MFA option such as Microsoft Passport with Credential Guard, you can gain additional protection against such threats. For more in-depth information about how Credential Guard works and the specific mitigations it provides, see [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md).
 ## Windows 10 hardware considerations
 Most of the features this article describes rely on specific hardware to maximize their capabilities. By purchasing hardware that includes these features during your next purchase cycle, you will be able to take advantage of the most comprehensive client security package Windows 10 has to offer. Careful consideration about which hardware vendor and specific models to purchase is vital to the success of your organization’s client security portfolio. Table 1 contains a list of each new Windows 10 security feature and its hardware requirements.
 Table 1. Windows 10 hardware requirements
 | Windows 10 feature                              | TPM | Input/output memory management unit | Virtualization extensions | SLAT | UEFI 2.3.1 | x64 architecture only |
 |-------------------------------------------------|-----|-------------------------------------|---------------------------|------|------------|-----------------------|
 | Credential Guard                                | R   | N                                   | Y                         | Y    | Y          | Y                     |
 | Device Guard                                    | N   | Y                                   | Y                         | Y    | Y          | Y                     |
 | BitLocker                                       | R   | N                                   | N                         | N    | N          | N                     |
 | Configurable code integrity                     | N   | N                                   | N                         | N    | R          | R                     |
 | Microsoft Passport                              | R   | N                                   | N                         | N    | N          | N                     |
 | Windows Hello                                   | R   | N                                   | N                         | N    | N          | N                     |
 | VBS                                             | N   | Y                                   | Y                         | Y    | N          | Y                     |
 | UEFI Secure Boot                                | R   | N                                   | N                         | N    | Y          | N                     |
 | Device health attestation through Measured Boot | Y\* | N                                   | N                         | N    | Y          | Y                     |
 \* Requires use of TPM 2.0.
 **Note**  
 In this table, **R** stands for *recommended*, **Y** means that the hardware component is *required* for that Windows 10 feature, and **N** means that the hardware component is *not used* with that Windows 10 feature.
 ## Related topics
 [Windows 10 Specifications](http://go.microsoft.com/fwlink/p/?LinkId=717550)
 [Making Windows 10 More Personal and More Secure with Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=717551)
 [Protect BitLocker from pre-boot attacks](../keep-secure/protect-bitlocker-from-pre-boot-attacks.md)
 [BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md)
 [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md)
 [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md)
--- a/windows/whats-new/trusted-platform-module.md
+++ b/windows/whats-new/trusted-platform-module.md
@ -0,0 +1,60 @@
 ---
 title: What's new in Trusted Platform Module? (Windows 10)
 description: This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10.
 ms.assetid: CE8BBC2A-EE2D-4DFA-958E-2A178F2E6C44
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # What's new in Trusted Platform Module?
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10.
 ## New features in Windows 10, Version 1511
 -   Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
 ## New features in Windows 10
 The following sections describe the new and changed functionality in the TPM for Windows 10:
 -   [Device health attestation](#BKMK_DHA)
 -   [Microsoft Passport](microsoft-passport.md) support
 -   [Device Guard](device-guard-overview.md) support
 -   [Credential Guard](credential-guard.md) support
 ## Device health attestation
 Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
 Some things that you can check on the device are:
 -   Is Data Execution Prevention supported and enabled?
 -   Is BitLocker Drive Encryption supported and enabled?
 -   Is SecureBoot supported and enabled?
 **Note**  The device must be running Windows 10 and it must support at least TPM 2.0.
 [Learn how to deploy and manage TPM within your organization](../keep-secure/trusted-platform-module-technology-overview.md).
--- a/windows/whats-new/user-account-control.md
+++ b/windows/whats-new/user-account-control.md
@ -0,0 +1,36 @@
 ---
 title: What's new in User Account Control? (Windows 10)
 description: User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
 ms.assetid: 9281870C-0819-4694-B4F1-260255BB8D07
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # What's new in User Account Control?
 **Applies to**
 -   Windows 10
 User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
 In Windows 10, User Account Control has added some improvements.
 ## New features in Windows 10
 -   **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](http://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
 [Learn how to manage User Account Control within your organization](../keep-secure/user-account-control-overview.md).
--- a/windows/whats-new/what-s-new-in-windows-10.md
+++ b/windows/whats-new/what-s-new-in-windows-10.md
@ -0,0 +1,121 @@
 ---
 title: What's new in Windows 10 (Windows 10)
 description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more.
 ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
 keywords: ["What's new in Windows 10", "Windows 10"]
 ms.prod: W10
 author: TrudyHa
 ---
 # What's new in Windows 10
 Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more. These technical overviews are designed to help you understand key feature changes and benefits and answer common questions about Windows 10 technologies.
 ## In this section
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Topic</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>[Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md)</p></td>
 <td align="left"><p>This topic lists new and updated topics in the What's new in Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[AppLocker](applocker.md)</p></td>
 <td align="left"><p>AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[BitLocker](bitlocker.md)</p></td>
 <td align="left"><p>BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Browser: Microsoft Edge and Internet Explorer 11](microsoft-edge-and-internet-explorer-11.md)</p></td>
 <td align="left"><p>Resources to help you explore the Windows 10 browsing options for your enterprise.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Credential Guard](credential-guard.md)</p></td>
 <td align="left"><p>Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Device Guard](device-guard-overview.md)</p></td>
 <td align="left"><p>Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Enterprise data protection (EDP)](enterprise-data-protection-overview.md)</p></td>
 <td align="left"><p>With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Enterprise management for Windows 10 devices](device-management.md)</p></td>
 <td align="left"><p>Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Lockdown features from Windows Embedded Industry 8.1](lockdown-features-from-windows-embedded-industry-8-1.md)</p></td>
 <td align="left"><p>Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Microsoft Passport](microsoft-passport.md)</p></td>
 <td align="left"><p>In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Provisioning packages](provisioning-and-upgrade.md)</p></td>
 <td align="left"><p>With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Security](security.md)</p></td>
 <td align="left"><p>There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Security auditing](security-auditing.md)</p></td>
 <td align="left"><p>Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Trusted Platform Module](trusted-platform-module.md)</p></td>
 <td align="left"><p>This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[User Account Control](user-account-control.md)</p></td>
 <td align="left"><p>User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Windows spotlight on the lock screen](windows-spotlight.md)</p></td>
 <td align="left"><p>Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows spotlight is now available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows spotlight background.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Windows Store for Business overview](business-store-for-windows-10.md)</p></td>
 <td align="left"><p>With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Windows Update for Business](windows-update-for-busines.md)</p></td>
 <td align="left"><p>Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.</p></td>
 </tr>
 </tbody>
 </table>
 ## Learn more
 [Windows 10 content from Microsoft Ignite](http://go.microsoft.com/fwlink/p/?LinkId=613210)
 [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkId=690485)
--- a/windows/whats-new/windows-spotlight.md
+++ b/windows/whats-new/windows-spotlight.md
@ -0,0 +1,71 @@
 ---
 title: Windows spotlight on the lock screen (Windows 10)
 description: Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.
 ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
 keywords: ["lockscreen"]
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # Windows spotlight on the lock screen
 **Applies to**
 -   Windows 10
 **In this article**
 -   [What does Windows spotlight include?](#what_does_windows_spotlight_include_)
 -   [How do you turn off Windows spotlight?](#how_do_you_turn_off_windows_spotlight_)
 -   [How do you disable Windows spotlight for managed devices?](#how_do_you_disable_windows_spotlight_for_managed_devices_)
 -   [Related topics](#related_topics)
 Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows spotlight is now available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows spotlight background.
 ## What does Windows spotlight include?
 -   **Background image**
    The Windows spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
    ![lock screen image](images/lockscreen.png)
 -   **Feature suggestions, fun facts, tips**
    The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
 ## How do you turn off Windows spotlight?
 Go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
 ![personalization background](images/spotlight.png)
 ## How do you disable Windows spotlight for managed devices?
 Windows spotlight is enabled by default. Administrators can replace Windows spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
 ![lockscreen policy details](images/lockscreenpolicy.png)
 Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.
 ![fun facts](images/funfacts.png)
 ## Related topics
 [Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md)
--- a/windows/whats-new/windows-update-for-busines.md
+++ b/windows/whats-new/windows-update-for-busines.md
@ -0,0 +1,49 @@
 ---
 title: What's new in Windows Update for Business? (Windows 10)
 description: Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
 ms.assetid: 9271FC9A-6AF1-4BBD-A272-909BF54363F4
 ms.prod: W10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: TrudyHa
 ---
 # What's new in Windows Update for Business?
 **Applies to**
 -   Windows 10
 Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
 ## Benefits of Windows Update for Business
 By using [Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
 -   **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
 -   **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
 -   **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=699281).
 Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](http://technet.microsoft.com/library/gg682129.aspx).
 ## Learn more
 [Windows Update for Business](../plan/windows-update-for-business.md)
 [Setup and deployment](../plan/setup-and-deployment.md)
 [Integration with management solutions](../plan/integration-with-management-solutions-.md)