diff --git a/.localization-config b/.localization-config
new file mode 100644
index 0000000000..c24369eb99
--- /dev/null
+++ b/.localization-config
@@ -0,0 +1,8 @@
+{
+  "locales": [ "zh-cn" ],
+  "files": ["!/*.md", "**/**/*.md", "**/*.md"],
+  "includeDependencies": true,
+  "autoPush": true,
+  "xliffVersion": "2.0",
+  "useJavascriptMarkdownTransformer": true
+}
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index e58deb3585..469538cd59 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -61,6 +61,16 @@
             "type_mapping": {
                 "Conceptual": "Content"
             }
+        },
+        {
+            "docset_name": "education",
+            "build_output_subfolder": "education",
+            "locale": "en-us",
+            "version": 0,
+            "open_to_public_contributors": "false",
+            "type_mapping": {
+                "Conceptual": "Content"
+            }
         }
     ],
     "notification_subscribers": ["brianlic@microsoft.com"],
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 7df4d37ea3..d199472eaa 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -84,9 +84,11 @@ IE opens the app’s website.
 **Security Note:**<br>If you don’t fully trust a site, you shouldn’t allow it to launch an outdated app. However, although we don’t recommend it, you can let the webpage launch the app by tapping or clicking **Allow**. This option opens the app without updating or fixing the problem. The next time you visit a webpage running the same outdated app, you’ll get the notification again.
 
 ## How does IE decide which ActiveX controls to block?
-IE uses Microsoft’s versionlist.xml file to determine whether an ActiveX control should be stopped from loading. This file is updated with newly-discovered out-of-date ActiveX controls, which IE automatically downloads to your local copy of the file.
+IE uses Microsoft’s versionlist.xml or versionlistWin7.xml file to determine whether an ActiveX control should be stopped from loading. These files are updated with newly-discovered out-of-date ActiveX controls, which IE automatically downloads to your local copy of the file.
 
-You can see your copy of the versionlist.xml file here `%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml`, or you can view Microsoft’s version at [Internet Explorer version list](http://go.microsoft.com/fwlink/p/?LinkId=403864).
+You can see your copy of the file here `%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml` or you can view Microsoft’s version, based on your operating system and version of IE, here:
+- [Internet Explorer 11 on Windows 7 SP1 or Windows Server 2008 R2](http://go.microsoft.com/fwlink/p/?LinkId=798230)
+- [All other configurations](https://go.microsoft.com/fwlink/p/?LinkId=403864)
 
 **Security Note:**<br>Although we strongly recommend against it, if you don’t want your computer to automatically download the updated version list from Microsoft, run the following command from a command prompt:
 
@@ -171,7 +173,7 @@ Here’s a detailed example and description of what’s included in the VersionA
 ### Inventory your ActiveX controls by using a local WMI class
 For Windows 10 you also have the option to log your inventory info to a local WMI class. Info logged to this class includes all of info you get from the .csv file, plus the CLSID of the loaded ActiveX control or the name of any apps started from an ActiveX control.
 
-### Before you begin
+#### Before you begin
 Before you can use WMI to inventory your ActiveX controls, you need to [download the configuration package (.zip file)](http://go.microsoft.com/fwlink/p/?LinkId=616971), which includes:
 
 -   **ConfigureWMILogging.ps1**. A Windows PowerShell script.
diff --git a/education/docfx.json b/education/docfx.json
new file mode 100644
index 0000000000..85ad44817c
--- /dev/null
+++ b/education/docfx.json
@@ -0,0 +1,24 @@
+{
+  "build": {
+    "content":
+      [
+        {
+          "files": ["**/**.md"],
+          "exclude": ["**/obj/**"]
+        }
+      ],
+    "resource": [
+        {
+          "files": ["**/images/**", "**/*.json"],
+          "exclude": ["**/obj/**"]
+        }
+    ],
+    "globalMetadata": {
+        "ROBOTS": "INDEX, FOLLOW"
+    },
+    "externalReference": [
+    ],
+    "template": "op.html",
+    "dest": "edu"
+  }
+}
\ No newline at end of file
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 3077e0371c..6b506dbfd5 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -15,6 +15,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 
 |New or changed topic | Description |
 |----------------------|-------------|
+| [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. |
 | [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
 
 ## April 2016
diff --git a/windows/keep-secure/configure-the-application-identity-service.md b/windows/keep-secure/configure-the-application-identity-service.md
index d09240e41c..2642394fff 100644
--- a/windows/keep-secure/configure-the-application-identity-service.md
+++ b/windows/keep-secure/configure-the-application-identity-service.md
@@ -46,11 +46,4 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
 
 3.  Verify that the status for the Application Identity service is **Running**.
 
- 
-
- 
-
-
-
-
-
+Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic**. 
\ No newline at end of file
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index af9f471ce3..ec41aa5d9a 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -33,7 +33,7 @@ When a user encounters an error when creating the work PIN, advise the user to t
 
 1.  Try to create the PIN again. Some errors are transient and resolve themselves.
 
-2.  Log out, log in, and try to create the PIN again.
+2.  Sign out, sign in, and try to create the PIN again.
 
 3.  Reboot the device and then try to create the PIN again.
 
@@ -44,11 +44,7 @@ When a user encounters an error when creating the work PIN, advise the user to t
 If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
 
 <table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
+
 <thead>
 <tr class="header">
 <th align="left">Hex</th>
@@ -57,20 +53,13 @@ If the error occurs again, check the error code against the following table to s
 </tr>
 </thead>
 <tbody>
-<tr class="odd">
-<td align="left">0x801C03ED</td>
-<td align="left"><p>Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed</p>
-<p>-or-</p>
-<p>Token was not found in the Authorization header</p>
-<p>-or-</p>
-<p>Failed to read one or more objects</p></td>
-<td align="left">Unjoin the device from Azure Active Directory (Azure AD) and rejoin</td>
-</tr>
+
 <tr class="even">
 <td align="left">0x801C044D</td>
 <td align="left">Authorization token does not contain device ID</td>
 <td align="left">Unjoin the device from Azure AD and rejoin</td>
 </tr>
+
 <tr class="odd">
 <td align="left">0x80090036</td>
 <td align="left">User cancelled an interactive dialog</td>
@@ -95,6 +84,10 @@ If the error occurs again, check the error code against the following table to s
 <td align="left">0x80090005</td>
 <td align="left">NTE_BAD_DATA</td>
 <td align="left">Unjoin the device from Azure AD and rejoin</td>
+</tr><tr class="even">
+<td align="left">0x80090029</td>
+<td align="left">TPM is not set up.</td>
+<td align="left">Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. </td>
 </tr>
 <tr class="even">
 <td align="left">0x80090031</td>
@@ -124,17 +117,17 @@ If the error occurs again, check the error code against the following table to s
 <tr class="odd">
 <td align="left">0x801C0010</td>
 <td align="left">The AIK certificate is not valid or trusted</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C0011</td>
 <td align="left">The attestation statement of the transport key is invalid</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="odd">
 <td align="left">0x801C0012</td>
 <td align="left">Discovery request is not in a valid format</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C0015</td>
@@ -159,7 +152,7 @@ If the error occurs again, check the error code against the following table to s
 <tr class="even">
 <td align="left">0x801C03E9</td>
 <td align="left">Server response message is invalid</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="odd">
 <td align="left">0x801C03EA</td>
@@ -169,37 +162,42 @@ If the error occurs again, check the error code against the following table to s
 <tr class="even">
 <td align="left">0x801C03EB</td>
 <td align="left">Server response http status is not valid</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="odd">
 <td align="left">0x801C03EC</td>
 <td align="left">Unhandled exception from server.</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">sign out and then sign in again.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C03ED</td>
-<td align="left">The request sent to the server was invalid.</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left"><p>Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed</p>
+<p>-or-</p>
+<p>Token was not found in the Authorization header</p>
+<p>-or-</p>
+<p>Failed to read one or more objects</p>
+<p>-or-</p><p>The request sent to the server was invalid.</p></td>
+<td align="left">Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.</td>
 </tr>
 <tr class="odd">
 <td align="left">0x801C03EE</td>
 <td align="left">Attestation failed</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C03EF</td>
 <td align="left">The AIK certificate is no longer valid</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 <tr class="odd">
 <td align="left">​0x801C044D</td>
 <td align="left">Unable to obtain user token</td>
-<td align="left">Log out and then log in again. Check network and credentials.</td>
+<td align="left">Sign out and then sign in again. Check network and credentials.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C044E</td>
 <td align="left">Failed to receive user creds input</td>
-<td align="left">Log out and then log in again.</td>
+<td align="left">Sign out and then sign in again.</td>
 </tr>
 </tbody>
 </table>
@@ -214,6 +212,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | Hex         | Cause                                                                                                 |
 |-------------|-------------------------------------------------------------------------------------------------------|
 | 0x80072f0c  | Unknown                                                                                               |
+| 0x80070057 | Invalid parameter or argument is passed |
 | 0x80090027  | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
 | 0x8009002D  | NTE\_INTERNAL\_ERROR                                                                                  |
 | 0x80090020  | NTE\_FAIL                                                                                             |
diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
index d2d62ba501..ab603ccb7a 100644
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -4,6 +4,7 @@ description: This guide describes the new Windows Hello and Microsoft Passport t
 ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84
 keywords: ["security", "credential", "password", "authentication"]
 ms.prod: W10
+ms.pagetype: security
 ms.mktglfcycl: plan
 ms.sitesec: library
 author: challum
@@ -405,7 +406,7 @@ Table 1. Deployment requirements for Microsoft Passport
 
  
 
-Note that the current release of Windows 10 supports the Azure AD–only scenarios. Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
+Note that the current release of Windows 10 supports the Azure AD–only (RTM) and hybrid scenarios (RTM + November Update). Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
 
 **Select policy settings**
 
@@ -465,17 +466,19 @@ In the Windows 10 initial release, Microsoft supports the following Microsoft P
 
 -   Microsoft Passport for Work support for organizations that have cloud-only Azure AD deployments
 
--   Group Policy settings to control Microsoft Passport PIN length and complexity
+-   Group Policy and MDM settings to control Microsoft Passport PIN length and complexity
+
+In the November 2015 release, Microsoft supports the following Microsoft Passport and Windows Hello features:
+
+- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
+
+- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
 
 In future releases of Windows 10, we plan to add support for additional features:
 
--   Additional biometric identifier types, including iris recognition
-
--   Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
-
--   Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
-
--   TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
+- Key-based and certificate-based Microsoft Passport for Work credentials for on-premises AD deployments
+ 
+- TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
 
 In the longer term, Microsoft will continue to improve on and expand the features of both Microsoft Passport and Windows Hello to cover additional customer requirements for manageability and security. We also are working with the FIDO Alliance and a variety of third parties to encourage adoption of Microsoft Passport by both web and LOB application developers.
 
diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md
index 6371799d7f..789cf15e86 100644
--- a/windows/manage/lock-down-windows-10.md
+++ b/windows/manage/lock-down-windows-10.md
@@ -70,7 +70,9 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
 </tbody>
 </table>
 
- 
+ ## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
 
 ## Related topics
 
diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md
index 4108cd3ae2..616e800b95 100644
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@@ -538,6 +538,10 @@ After you deploy your devices, you can still configure lockdown settings through
 
 To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as &lt; in place of &lt;). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
 
+## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
+
 ## Related topics
 
 
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index dca8bf4608..227070a768 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -94,6 +94,7 @@ For more information about the MDM protocols, see [Mobile device management](htt
 
 ## Learn more
 
+[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627898.aspx)
 
 [Windows 10, Azure AD and Microsoft Intune: Automatic MDM Enrollment](http://go.microsoft.com/fwlink/p/?LinkId=623321)
 
diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md
index 32c891b331..cc81d0801d 100644
--- a/windows/manage/set-up-a-device-for-anyone-to-use.md
+++ b/windows/manage/set-up-a-device-for-anyone-to-use.md
@@ -74,7 +74,9 @@ A Universal Windows app is built on the Universal Windows Platform (UWP), which
 </tbody>
 </table>
 
- 
+ ## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
 
  
 
diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md
index 0e347899ad..e2155e0da8 100644
--- a/windows/manage/windows-10-mobile-and-mdm.md
+++ b/windows/manage/windows-10-mobile-and-mdm.md
@@ -1107,9 +1107,6 @@ Table 19. Microsoft Edge settings for Windows 10 Mobile
 | Allow Search Suggestions in Address Bar         | Whether search suggestions are shown in the address bar                                               |
 | Allow SmartScreen                               | Whether SmartScreen Filter is enabled                                                                 |
 | First Run URL                                   | The URL to open when a user launches Microsoft Edge for the first time                                |
-| Include Sites Bypassing Proxy In Intranet Sites | Whether websites that bypass the proxy server are able to use the Intranet security zone              |
-| Include UNC Paths In Intranet Sites             | Whether URL paths can represent Universal Naming Convention (UNC) paths in the Intranet security zone |
-| Intranet Sites                                  | A list of the websites that are in the Intranet security zone                                         |
 | Prevent Smart Screen Prompt Override For Files  | Whether users can override the SmartScreen Filter warnings about downloading unverified files         |
 
  
diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md
index 262e5704c5..a8a36b3268 100644
--- a/windows/manage/working-with-line-of-business-apps.md
+++ b/windows/manage/working-with-line-of-business-apps.md
@@ -41,7 +41,7 @@ What you'll have to set up:
 
 -   LOB publishers need to have an app in the Store, or have an app ready to submit to the Store.
 
-### <a href="" id="add-lob-publisher"></a>Add an LOB publisher (admin)
+### <a href="" id="add-lob-publisher"></a>Add an LOB publisher (Store for Business Admin)
 
 For developers within your own organization, or ISVs you're working with to create LOB apps, you'll need to invite them to become a LOB publisher.
 
@@ -49,7 +49,8 @@ For developers within your own organization, or ISVs you're working with to crea
 
 1.  Sign in to the [Windows Store for Business]( http://go.microsoft.com/fwlink/p/?LinkId=623531).
 2.  Click **Settings**, and then choose **LOB publishers**.
-3.  On the Line-of business publishers page, click **Add** to complete a form and send an email invitation to a developer.
+3.  On the Line-of business publishers page, click **Add** to complete a form and send an email invitation to a developer.<br>
+**Note** This needs to be the email address listed in contact info for the developer account. 
 
 ### <a href="" id="submit-lob-app"></a>Submit apps (LOB publisher)